CVE-2024-54005

MEDIUM

Siemens COMOS PDMS/E3D Engineering Interface - XML External Entity File Disclosure

Title source: manual

Description

A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions < V10.4.3.0.47), COMOS V10.4.4 (All versions < V10.4.4.2), COMOS V10.4.4.1 (All versions < V10.4.4.1.21). The PDMS/E3D Engineering Interface improperly handles XML External Entity (XXE) entries when communicating with an external application. This could allow an attacker to extract any file with a known location on the user's system or accessible network folders by injecting malicious data into the communication channel between the two systems.

References (1)

Core 1

Core References

Vendor Advisory

https://cert-portal.siemens.com/productcert/html/ssa-701627.html

Scores

CVSS v3 5.1

EPSS 0.0015

EPSS Percentile 5.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (7)

Siemens/COMOS V10.3 < V10.3.3.5.8

Siemens/COMOS V10.4.0

Siemens/COMOS V10.4.1

Siemens/COMOS V10.4.2

Siemens/COMOS V10.4.3 < V10.4.3.0.47

Siemens/COMOS V10.4.4 < V10.4.4.2

Siemens/COMOS V10.4.4.1 < V10.4.4.1.21

Published Dec 10, 2024

Tracked Since Feb 18, 2026