CVE-2021-20595

Name of the Vulnerable Software and Affected Versions: Mitsubishi Electric Air Conditioning System/Centralized Controllers versions 3.35 and prior Mitsubishi Electric Air Conditioning System/Centralized Controllers versions 3.20 and prior Mitsubishi Electric Air Conditioning System/Centralized Controllers versions 9.11 and prior Mitsubishi Electric Air Conditioning System/Centralized Controllers versions 7.09 and prior Mitsubishi Electric Air Conditioning System/Centralized Controllers versions 7.93 and prior Mitsubishi Electric Air Conditioning System/Expansion Controllers versions 2.20 and prior Mitsubishi Electric Air Conditioning System/BM adapter versions 2.21 and prior Mitsubishi Electric Air Conditioning System/Expansion Controllers versions 1.30 and prior

Description: The issue is related to an Improper Restriction of XML External Entity Reference, allowing a remote unauthenticated attacker to disclose some data in the air conditioning system or cause a Denial of Service (DoS) condition by sending specially crafted packets.

Recommendations: For Mitsubishi Electric Air Conditioning System/Centralized Controllers versions 3.35 and prior, update to a version later than 3.35. For Mitsubishi Electric Air Conditioning System/Centralized Controllers versions 3.20 and prior, update to a version later than 3.20. For Mitsubishi Electric Air Conditioning System/Centralized Controllers versions 9.11 and prior, update to a version later than 9.11. For Mitsubishi Electric Air Conditioning System/Centralized Controllers versions 7.09 and prior, update to a version later than 7.09. For Mitsubishi Electric Air Conditioning System/Centralized Controllers versions 7.93 and prior, update to a version later than 7.93. For Mitsubishi Electric Air Conditioning System/Expansion Controllers versions 2.20 and prior, update to a version later than 2.20. For Mitsubishi Electric Air Conditioning System/BM adapter versions 2.21 and prior, update to a version later than 2.21. For Mitsubishi Electric Air Conditioning System/Expansion Controllers versions 1.30 and prior, update to a version later than 1.30.