CVE-2020-5602 Information

Description

Mitsubishi Electoric FA Engineering Software (CPU Module Logging Configuration Tool Ver. 1.94Y and earlier CW Configurator Ver. 1.010L and earlier EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier GT Designer3 (GOT2000) Ver. 1.221F and earlier GX LogViewer Ver. 1.96A and earlier GX Works2 Ver. 1.586L and earlier GX Works3 Ver. 1.058L and earlier M_CommDTM-HART Ver. 1.00A M_CommDTM-IO-Link Ver. 1.02C and earlier MELFA-Works Ver. 4.3 and earlier MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.004E and earlier MELSOFT FieldDeviceConfigurator Ver. 1.03D and earlier MELSOFT iQ AppPortal Ver. 1.11M and earlier MELSOFT Navigator Ver. 2.58L and earlier MI Configurator Ver. 1.003D and earlier Motion Control Setting Ver. 1.005F and earlier MR Configurator2 Ver. 1.72A and earlier MT Works2 Ver. 1.156N and earlier RT ToolBox2 Ver. 3.72A and earlier and RT ToolBox3 Ver. 1.50C and earlier) allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://jvn.jp/en/vu/JVNVU90307594/index.html https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-004_en.pdf

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5