CVE-2020-8479

Name of the Vulnerable Software and Affected Versions ABB Ability System 800xA versions 5.1 through 6.1 Compact HMI versions 5.1 through 6.0 Control Builder Safe versions 1.0 through 2.0 Symphony Plus -S+ Operations versions 3.0 through 3.2 Symphony Plus -S+ Engineering versions 1.1 through 2.2 Composer Harmony versions 5.1 through 6.1 Melody Composer versions 5.3, 6.1/6.2 SPE for Melody version 1.0SPx (Composer 6.3) Harmony OPC Server (HAOPC) Standalone versions 6.0 through 7.0 ABB Ability System 800xA/ Advant OCS Control Builder A versions 1.3 through 1.4 Advant OCS AC100 OPC Server versions 5.1 through 6.1 Composer CTK versions 6.1 through 6.2 AdvaBuild versions 3.7 SP1 through 3.7 SP2 OPCServer for MOD 300 (non-800xA) version 1.4 OPC Data Link versions 2.1 through 2.2 Knowledge Manager versions 8.0 through 9.1 Manufacturing Operations Management versions 1812 through 1909 ABB Ability SCADAvantage versions 5.1 through 5.6.5

Description An XML External Entity Injection issue exists, allowing an attacker to read or call arbitrary files from the license server and/or from the network, and also block the license handling.

Recommendations For ABB Ability System 800xA versions 5.1 through 6.1, update to a version that includes a fix for the XML External Entity Injection issue. For Compact HMI versions 5.1 through 6.0, update to a version that includes a fix for the XML External Entity Injection issue. For Control Builder Safe versions 1.0 through 2.0, update to a version that includes a fix for the XML External Entity Injection issue. For Symphony Plus -S+ Operations versions 3.0 through 3.2, update to a version that includes a fix for the XML External Entity Injection issue. For Symphony Plus -S+ Engineering versions 1.1 through 2.2, update to a version that includes a fix for the XML External Entity Injection issue. For Composer Harmony versions 5.1 through 6.1, update to a version that includes a fix for the XML External Entity Injection issue. For Melody Composer versions 5.3, 6.1/6.2, update to a version that includes a fix for the XML External Entity Injection issue. For SPE for Melody version 1.0SPx (Composer 6.3), update to a version that includes a fix for the XML External Entity Injection issue. For Harmony OPC Server (HAOPC) Standalone versions 6.0 through 7.0, update to a version that includes a fix for the XML External Entity Injection issue. For ABB Ability System 800xA/ Advant OCS Control Builder A versions 1.3 through 1.4, update to a version that includes a fix for the XML External Entity Injection issue. For Advant OCS AC100 OPC Server versions 5.1 through 6.1, update to a version that includes a fix for the XML External Entity Injection issue. For Composer CTK versions 6.1 through 6.2, update to a version that includes a fix for the XML External Entity Injection issue. For AdvaBuild versions 3.7 SP1 through 3.7 SP2, update to a version that includes a fix for the XML External Entity Injection issue. For OPCServer for MOD 300 (non-800xA) version 1.4, update to a version that includes a fix for the XML External Entity Injection issue. For OPC Data Link versions 2.1 through 2.2, update to a version that includes a fix for the XML External Entity Injection issue. For Knowledge Manager versions 8.0 through 9.1, update to a version that includes a fix for the XML External Entity Injection issue. For Manufacturing Operations Management versions 1812 through 1909, update to a version that includes a fix for the XML External Entity Injection issue. For ABB Ability SCADAvantage versions 5.1 through 5.6.5, update to a version that includes a fix for the XML External Entity Injection issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.