CVE-2012-6069
3S CoDeSys Relative Path Traversal
The CoDeSys Runtime Toolkit’s file transfer functionality does not
perform input validation, which allows an attacker to access files and
directories outside the intended scope. This may allow an attacker to
upload and download any file on the device. This could allow the
attacker to affect the availability, integrity, and confidentiality of
the device.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
3S-Smart Software Solutions · CoDeSys3S-Smart Software Solutions · CODESYS Control RTE3S-Smart Software Solutions · CODESYS Control Runtime embedded3S-Smart Software Solutions · CODESYS Control Runtime fullFesto · CECX-X-C1 Modular Master Controller with CoDeSysFesto · CECX-X-M1 Modular Controller with CoDeSys and SoftMotionWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01https://us.codesys.com/ecosystem/security/https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-01https://www.cisa.gov/news-events/ics-advisories/icsa-14-084-01http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.htmlhttp://www.digitalbond.com/tools/basecamp/3s-codesys/http://www.securityfocus.com/bid/56300http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf