PT-2013-36: XML External Entity Injection in Wonderware Win-XML Exporter Vulnerable softwareWonderware Win-XML Exporter Version: 1522.148.0.0 and earlierApplication link: http://global.wonderware.com/EN/Pages/default.aspxSeverity levelSeverity level: Medium Impact: Internal Network Resources and File System Access, Denial of Service Access Vector: Remote CVSS v2: Base Score: 6.3 Vector: (AV:L/AC:M/Au:N/C:C/I:N/A:C)CVE: CVE-2012-4710 Software descriptionWonderware Win-XML Exporter converts interface windows from Intouch HMI projects and displays them in Internet Explorer with the help of Wonderware Information Server.Vulnerability descriptionPositive Research Center experts have discovered "XML External Entity Injection" vulnerability in Wonderware Win-XML Exporter. If an attacker manages to make a victim open a project that contains specially crafted XML, Wonderware Win-XML Exporter will automatically send the contents of local or remote resource to the attacker's server. It also makes possible to conduct denial of service attacks.How to fixUpdate your software up to the latest version.Advisory status 22.11.2012 - Vendor gets vulnerability details 21.03.2013 - Vendor releases fixed version and details 03.04.2013 - Public disclosureCreditsThe vulnerability was discovered by Timur Yunusov, Alexey Osipov, Ilya Karpov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2013-36 Reports on the vulnerabilities previously discovered by Positive Research:http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/