CVE-2022-24039

Name of the Vulnerable Software and Affected Versions Desigo PXC4 versions prior to V02.20.142.10-10884 Desigo PXC5 versions prior to V02.20.142.10-10884

Description A vulnerability has been identified in the addCell JavaScript function, which fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document. This allows an attacker to inject arbitrary content, such as XML tags, into the generated file. An attacker with restricted privileges can leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator's workstation.

Recommendations For Desigo PXC4 versions prior to V02.20.142.10-10884, update to version V02.20.142.10-10884 or later. For Desigo PXC5 versions prior to V02.20.142.10-10884, update to version V02.20.142.10-10884 or later. As a temporary workaround, consider disabling the addCell JavaScript function until a patch is available. Restrict access to the XLS report generation feature to minimize the risk of exploitation. Avoid using user-controllable input in the XLS report document until the issue is resolved.