CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1552 – ToolboxST Deserialization of Untrusted Configuration Data
https://notcve.org/view.php?id=CVE-2023-1552
11 Apr 2023 — ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors. Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable... • https://www.ge.com/content/dam/cyber_security/global/en_US/pdfs/2023-03-23_ToolboxST_Deserialization_of_Untrusted_Configuration_Data.pdf • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44477 – GE Gas Power ToolBoxST Improper Restriction of XML External Entity Reference
https://notcve.org/view.php?id=CVE-2021-44477
25 Mar 2022 — GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file. GE Gas Power ToolBoxST Versión v04.07.05C, sufre una vulnerabilidad de tipo XML external entity (XXE) usando la técnica de e... • https://www.cisa.gov/uscert/ics/advisories/icsa-22-025-01 • CWE-611: Improper Restriction of XML External Entity Reference •