CVE-2019-10924

A vulnerability has been identified in LOGO! Soft Comfort (All versions < V8.3). The vulnerability could allow an attacker to execute arbitrary code if the attacker tricks a legitimate user to open a manipulated project. In order to exploit the vulnerability, a valid user must open a manipulated project file. No further privileges are required on the target system. The vulnerability could compromise the confidentiality, integrity and availability of the engineering station. At the time of advisory publication no public exploitation of this security vulnerability was known.

CVSS v3 7.8 HIGH
CVSS v2.0 6.8 MEDIUM

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/108368	Third Party Advisory VDB Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-102144.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:siemens:logo\!_soft_comfort:*:*:*:*:*:*:*:*

History

04 Jan 2022, 18:11

Type	Values Removed	Values Added
CWE	~~NVD-CWE-noinfo~~

Information

Published : 2019-05-14 20:29

Updated : 2023-12-10 12:59

NVD link : CVE-2019-10924

Mitre link : CVE-2019-10924

CVE.ORG link : CVE-2019-10924

JSON object : View

Products Affected

siemens

logo\!_soft_comfort

CWE

CWE-502

Deserialization of Untrusted Data

NVD-CWE-noinfo

{"id": "CVE-2019-10924", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2019-05-14T20:29:02.840", "references": [{"url": "http://www.securityfocus.com/bid/108368", "tags": ["Third Party Advisory", "VDB Entry"], "source": "productcert@siemens.com"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-102144.pdf", "tags": ["Vendor Advisory"], "source": "productcert@siemens.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-502"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in LOGO! Soft Comfort (All versions < V8.3). The vulnerability could allow an attacker to execute arbitrary code if the attacker tricks a legitimate user to open a manipulated project. In order to exploit the vulnerability, a valid user must open a manipulated project file. No further privileges are required on the target system. The vulnerability could compromise the confidentiality, integrity and availability of the engineering station. At the time of advisory publication no public exploitation of this security vulnerability was known."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en LOGO! Soft Comfort (Todas las versiones anteriores a la versi\u00f3n V8.3 ). La vulnerabilidad podr\u00eda permitir a un atacante ejecutar c\u00f3digo arbitrario si este enga\u00f1a a un usuario leg\u00edtimo para abrir un proyecto manipulado. Para explotar la vulnerabilidad, un usuario v\u00e1lido necesita abrir un archivo de proyecto manipulado. No se requieren m\u00e1s privilegios en el sistema de destino. La vulnerabilidad podr\u00eda comprometer la confidencialidad, integridad y disponibilidad de la estaci\u00f3n de ingenier\u00eda. Hasta el momento de la publicaci\u00f3n de asesoramiento, no se conoc\u00eda la explotaci\u00f3n p\u00fablica de esta vulnerabilidad de seguridad"}], "lastModified": "2022-01-04T18:11:08.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:logo\\!_soft_comfort:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E266BC9-BACE-4048-843F-7CF84F673C7D", "versionEndExcluding": "8.3"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}