PT-2021-11512 · Siemens · Siemens Solid Edge Se2020+1

Published

2021-03-11

Updated

2021-07-15

CVE-2020-28387

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Siemens Solid Edge SE2020 versions prior to SE2020MP13 Siemens Solid Edge SE2021 versions prior to SE2021MP3

Description: A vulnerability allows disclosure of arbitrary files to remote attackers when opening a specially crafted SEECTCXML file. This occurs due to the passing of specially crafted content to the underlying XML parser without proper restrictions, such as prohibiting an external DTD.

Recommendations: For Siemens Solid Edge SE2020 versions prior to SE2020MP13, update to SE2020MP13 or later to resolve the issue. For Siemens Solid Edge SE2021 versions prior to SE2021MP3, update to SE2021MP3 or later to resolve the issue. As a temporary workaround, consider restricting the use of SEECTCXML files until a patch is applied.

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2020-28387

ZDI-21-266

Affected Products

Siemens Solid Edge Se2020

Siemens Solid Edge Se2021

PT-2021-11512 · Siemens · Siemens Solid Edge Se2020+1

CVE-2020-28387

Weakness Enumeration

Related Identifiers

Affected Products

References · 4