Vulnerability Details : CVE-2023-5247
Malicious Code Execution Vulnerability due to External Control of File Name or Path in multiple Mitsubishi Electric FA Engineering Software Products allows a malicious attacker to execute a malicious code by having legitimate users open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service (DoS) condition.
Vulnerability category: File inclusionDenial of serviceInformation leak
Products affected by CVE-2023-5247
- cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:melsoft_navigator:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:melsoft_iq_appportal:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:motion_control_setting:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-5247
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 30 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-5247
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
Mitsubishi Electric Corporation | |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2023-5247
-
The product allows user input to control or influence paths or file names that are used in filesystem operations.Assigned by: Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp (Secondary)
-
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-5247
-
https://jvn.jp/vu/JVNVU93383160/
JVNVU#93383160: 三菱電機製複数のFAエンジニアリングソフトウェア製品におけるファイル名やパス名の外部制御に関する脆弱性Mitigation;Third Party Advisory
-
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-016_en.pdf
Mitigation;Vendor Advisory
Jump to