← back
CVE-2018-10832

CVE-2018-10832

EPSS 6.0%
ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal, will return the contents of any local files to a remote attacker.
Affected products
n/a · n/a
public PoCs found3
cve_referencepacketstormsecurity.com/files/147573/ModbusPal-1.6b-XML-External-Entity-Injection.htmlunverifiedcve_referencewww.exploit-db.com/exploits/44607/unverifiedexploitdbwww.exploit-db.com/exploits/44607unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/147573/ModbusPal-1.6b-XML-External-Entity-Injection.htmlhttps://www.exploit-db.com/exploits/44607/