CVE-2018-10832

Name of the Vulnerable Software and Affected Versions ModbusPal version 1.6b

Description The issue allows for an XML External Entity (XXE) attack. This occurs because projects and automations are saved in XML-based files (.xmpp and .xmpa respectively), which are susceptible to XXE injection. By sending a specially crafted .xmpp or .xmpa file to a user, when opened or imported in ModbusPal, it can return the contents of any local files to a remote attacker.

Recommendations For ModbusPal version 1.6b, as a temporary workaround, consider avoiding the use of .xmpp and .xmpa files from untrusted sources until a patch is available. Restrict access to sensitive local files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.