XINJE PLC Program Tool up to 3.5.1 uncontrolled search path

A vulnerability was found in XINJE PLC Program Tool up to 3.5.1 and classified as critical. Affected by this issue is an unknown function. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Field05/12/2022 10:16 AM05/14/2022 10:23 AM05/14/2022 10:29 AM
vendorXINJEXINJEXINJE
namePLC Program ToolPLC Program ToolPLC Program Tool
version<=3.5.1<=3.5.1<=3.5.1
cwe427 (privilege escalation)427 (privilege escalation)427 (privilege escalation)
risk222
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prLLL
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cHHH
cvss3_vuldb_iHHH
cvss3_vuldb_aHHH
cvss3_cna_avLLL
cvss3_cna_acLLL
cvss3_cna_prLLL
cvss3_cna_uiRRR
cvss3_cna_sUUU
cvss3_cna_cHHH
cvss3_cna_iHHH
cvss3_cna_aHHH
urlhttps://claroty.com/2022/05/11/blog-research-from-project-file-to-code-execution-exploiting-vulnerabilities-in-xinje-plc-program-tool/https://claroty.com/2022/05/11/blog-research-from-project-file-to-code-execution-exploiting-vulnerabilities-in-xinje-plc-program-tool/https://claroty.com/2022/05/11/blog-research-from-project-file-to-code-execution-exploiting-vulnerabilities-in-xinje-plc-program-tool/
cveCVE-2021-34606CVE-2021-34606CVE-2021-34606
cve_assigned162327600016232760001623276000
cve_cnaCERT VDECERT VDECERT VDE
date1652306400 (05/12/2022)1652306400 (05/12/2022)1652306400 (05/12/2022)
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_ciCCC
cvss2_vuldb_iiCCC
cvss2_vuldb_aiCCC
cvss2_vuldb_auSSS
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlNDNDND
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss3_vuldb_rlXXX
cvss3_vuldb_rcXXX
cvss3_cna_basescore7.37.37.3
cvss2_vuldb_basescore9.09.09.0
cvss2_vuldb_tempscore9.09.09.0
cvss3_vuldb_basescore8.88.88.8
cvss3_vuldb_tempscore8.88.88.8
cvss3_meta_basescore8.18.18.1
cvss3_meta_tempscore8.18.18.1
price_0day$0-$5k$0-$5k$0-$5k
cve_nvd_summaryA vulnerability exists in XINJE XD/E Series PLC Program Tool in versions up to v3.5.1 that can allow an authenticated, local attacker to load a malicious DLL. Local access is required to successfully exploit this vulnerability. This means the potential attacker must have access to the system and sufficient file-write privileges. If exploited, the attacker could place a malicious DLL file on the system, that when running XINJE XD/E Series PLC Program Tool will allow the attacker to execute arbitrary code with the privileges of another user's account.A vulnerability exists in XINJE XD/E Series PLC Program Tool in versions up to v3.5.1 that can allow an authenticated, local attacker to load a malicious DLL. Local access is required to successfully exploit this vulnerability. This means the potential attacker must have access to the system and sufficient file-write privileges. If exploited, the attacker could place a malicious DLL file on the system, that when running XINJE XD/E Series PLC Program Tool will allow the attacker to execute arbitrary code with the privileges of another user&#039;s account.

Do you want to use VulDB in your project?

Use the official API to access entries easily!