CVE-2024-49704

Name of the Vulnerable Software and Affected Versions: COMOS V10.3 versions prior to V10.3.3.5.8 COMOS V10.4.0 versions prior to V10.4.4.2 COMOS V10.4.1 versions prior to V10.4.4.2 COMOS V10.4.2 versions prior to V10.4.4.2 COMOS V10.4.3 versions prior to V10.4.3.0.47 COMOS V10.4.4 versions prior to V10.4.4.2 COMOS V10.4.4.1 versions prior to V10.4.4.1.21

Description: The issue is related to the improper handling of XML External Entity (XXE) entries by the Generic Data Mapper, Engineering Adapter, and Engineering Interface components when parsing configuration and mapping files. This could allow an attacker to extract any file with a known location on the user's system or accessible network folders by persuading a user to use a maliciously crafted configuration or mapping file in one of the affected components.

Recommendations: For COMOS V10.3 versions prior to V10.3.3.5.8, update to version V10.3.3.5.8 or later. For COMOS V10.4.0, update to a version that is not affected. For COMOS V10.4.1, update to a version that is not affected. For COMOS V10.4.2, update to a version that is not affected. For COMOS V10.4.3 versions prior to V10.4.3.0.47, update to version V10.4.3.0.47 or later. For COMOS V10.4.4 versions prior to V10.4.4.2, update to version V10.4.4.2 or later. For COMOS V10.4.4.1 versions prior to V10.4.4.1.21, update to version V10.4.4.1.21 or later. As a temporary workaround, consider restricting the use of the Generic Data Mapper, Engineering Adapter, and Engineering Interface components until a patch is available. Avoid using maliciously crafted configuration or mapping files in the affected components.