CVE-2023-4088
9.3
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mitsubishi Electric Corporation | GX Works3 | all versions | affected |
| Mitsubishi Electric Corporation | AL-PCS/WIN-E | all versions | affected |
| Mitsubishi Electric Corporation | CPU Module Logging Configuration Tool | all versions | affected |
| Mitsubishi Electric Corporation | EZSocket | all versions | affected |
| Mitsubishi Electric Corporation | FR Configurator2 | all versions | affected |
| Mitsubishi Electric Corporation | FX Configurator-EN | all versions | affected |
| Mitsubishi Electric Corporation | FX Configurator-EN-L | all versions | affected |
| Mitsubishi Electric Corporation | FX Configurator-FP | all versions | affected |
| Mitsubishi Electric Corporation | GT Designer3 Version1(GOT1000) | all versions | affected |
| Mitsubishi Electric Corporation | GT Designer3 Version1(GOT2000) | all versions | affected |
| Mitsubishi Electric Corporation | GT SoftGOT1000 Version3 | all versions | affected |
| Mitsubishi Electric Corporation | GT SoftGOT2000 Version1 | all versions | affected |
| Mitsubishi Electric Corporation | GX LogViewer | all versions | affected |
| Mitsubishi Electric Corporation | GX Works2 | all versions | affected |
| Mitsubishi Electric Corporation | MELSOFT FieldDeviceConfigurator | all versions | affected |
| Mitsubishi Electric Corporation | MELSOFT iQ AppPortal | all versions | affected |
| Mitsubishi Electric Corporation | MELSOFT MaiLab | all versions | affected |
| Mitsubishi Electric Corporation | MELSOFT Navigator | all versions | affected |
| Mitsubishi Electric Corporation | MELSOFT Update Manager | all versions | affected |
| Mitsubishi Electric Corporation | MX Component | all versions | affected |
| Mitsubishi Electric Corporation | MX Sheet | all versions | affected |
| Mitsubishi Electric Corporation | PX Developer | all versions | affected |
| Mitsubishi Electric Corporation | RT ToolBox3 | all versions | affected |
| Mitsubishi Electric Corporation | RT VisualBox | all versions | affected |
| Mitsubishi Electric Corporation | Data Transfer | all versions | affected |
| Mitsubishi Electric Corporation | Data Transfer Classic | all versions | affected |
Weaknesses
- CWE-276: CWE-276 Incorrect Default Permissions
ADP Enrichment
CVE Program Container
Additional References
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf
- https://jvn.jp/vu/JVNVU96447193/index.html
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf
- https://jvn.jp/vu/JVNVU96447193/index.html
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.