CVE-2024-49704
A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions < V10.4.3.0.47), COMOS V10.4.4 (All versions < V10.4.4.2), COMOS V10.4.4.1 (All versions < V10.4.4.1.21). The Generic Data Mapper, the Engineering Adapter, and the Engineering Interface improperly handle XML External Entity (XXE) entries when parsing configuration and mapping files. This could allow an attacker to extract any file with a known location on the user's system or accessible network folders by persuading a user to use a maliciously crafted configuration or mapping file in one of the affected components.
EPSS 0.10% · 26.4th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Siemens | COMOS V10.4.2 | 0 |
| Siemens | COMOS V10.4.1 | 0 |
| Siemens | COMOS V10.4.0 | 0 |
| Siemens | COMOS V10.3 | 0 |
| Siemens | COMOS V10.4.4 | 0 |
| Siemens | COMOS V10.4.3 | 0 |
| Siemens | COMOS V10.4.4.1 | 0 |
Timeline
- Dec 10, 2024 CVE Published
- Dec 10, 2024 CVE Updated
- Dec 11, 2024 EPSS Score
- Dec 12, 2024 PoC Published
- Dec 28, 2024 EPSS Score
- Jan 13, 2025 EPSS Score
- Jan 30, 2025 EPSS Score
- Feb 16, 2025 EPSS Score
- Mar 5, 2025 EPSS Score
- Mar 21, 2025 EPSS Score
- Apr 7, 2025 EPSS Score
- Apr 24, 2025 EPSS Score