CVE-2024-54005

Name of the Vulnerable Software and Affected Versions: COMOS V10.3 versions prior to V10.3.3.5.8 COMOS V10.4.0 versions prior to V10.4.0 COMOS V10.4.1 versions prior to V10.4.1 COMOS V10.4.2 versions prior to V10.4.2 COMOS V10.4.3 versions prior to V10.4.3.0.47 COMOS V10.4.4 versions prior to V10.4.4.2 COMOS V10.4.4.1 versions prior to V10.4.4.1.21

Description: The PDMS/E3D Engineering Interface in COMOS improperly handles XML External Entity (XXE) entries when communicating with an external application. This could allow an attacker to extract any file with a known location on the user's system or accessible network folders by injecting malicious data into the communication channel between the two systems.

Recommendations: For COMOS V10.3 versions prior to V10.3.3.5.8, update to version V10.3.3.5.8 or later. For COMOS V10.4.0, update to a version that is not affected by this issue. For COMOS V10.4.1, update to a version that is not affected by this issue. For COMOS V10.4.2, update to a version that is not affected by this issue. For COMOS V10.4.3 versions prior to V10.4.3.0.47, update to version V10.4.3.0.47 or later. For COMOS V10.4.4 versions prior to V10.4.4.2, update to version V10.4.4.2 or later. For COMOS V10.4.4.1 versions prior to V10.4.4.1.21, update to version V10.4.4.1.21 or later. As a temporary workaround, consider restricting access to the PDMS/E3D Engineering Interface to minimize the risk of exploitation.