Summary
Several Pilz software products do not properly check pathnames contained in archives. An attacker can utilise this vulnerability to write arbitrary files, potentially leading to code execution.
Impact
The affected software products are using ZIP archives to save and load project backups and libraries. When loading a ZIP archive, the contained pathnames are not checked properly for relative path components. If a user loads a manipulated ZIP archive the vulnerability can be used to place potentially malicious files outside of the application's working directory. Depending on the user's privileges this can lead to code execution.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| PAScal <=1.9.1 | PAScal <=1.9.1 | |
| PASconnect <1.4.0 | PASconnect <1.4.0 | |
| PASmotion <1.4.1 | PASmotion <1.4.1 | |
| PNOZmulti Configurator <11.2.0 | PNOZmulti Configurator <11.2.0 | |
| PNOZmulti Configurator LTS <10.14.4 | PNOZmulti Configurator LTS <10.14.4 |
Vulnerabilities
Expand / Collapse allA path traversal vulnerability was discovered in multiple Pilz products. An unauthenticated local attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip'). File writes do not affect confidentiality or availability.
Remediation
Please visit the Pilz Shop (www.pilz.com/en-INT/eshop) to check for the fixed version
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 24.11.2022 10:00 | Initial revision. |
| 2 | 05.06.2025 15:28 | Fix: quotation mark |