CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1552 – ToolboxST Deserialization of Untrusted Configuration Data
https://notcve.org/view.php?id=CVE-2023-1552
ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors. Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power's Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user. • https://www.ge.com/content/dam/cyber_security/global/en_US/pdfs/2023-03-23_ToolboxST_Deserialization_of_Untrusted_Configuration_Data.pdf • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44477 – GE Gas Power ToolBoxST Improper Restriction of XML External Entity Reference
https://notcve.org/view.php?id=CVE-2021-44477
GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file. GE Gas Power ToolBoxST Versión v04.07.05C, sufre una vulnerabilidad de tipo XML external entity (XXE) usando la técnica de entidades de parámetros DTD que podría resultar en una divulgación y recuperación de datos arbitrarios en el nodo afectado por medio de un ataque fuera de banda (OOB). La vulnerabilidad es desencadenada cuando la entrada que es pasada al analizador XML no es saneada mientras es analizado el archivo de proyecto/plantilla XML • https://www.cisa.gov/uscert/ics/advisories/icsa-22-025-01 • CWE-611: Improper Restriction of XML External Entity Reference •