Summary
The Builder and Viewer components of the product PASvisu are based on the 3rd-party-component Electron. Electron contains several other open-source components which are affected by vulnerabilities. The vulnerabilities may enable an attacker to gain full control over the system. The vulnerabilities can be exploited locally or over the network.
Impact
Displaying of a specially crafted HTML page can lead to heap buffer overflow or heap corruption. In a worst-case scenario, a successful exploitation of the vulnerabilities can lead to execution of arbitrary code using the privileges of the user running the affected software. In the case of the PASvisu Builder, the vulnerability can only be exploited locally.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| PASvisu | Firmware <1.14.1 | |
| 266807, 266812, 266815 | PMI v8xx | Firmware <=2.0.33992 |
Vulnerabilities
Expand / Collapse allUse after free in Site Isolation in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Remediation
Install the fixed product version as soon as it is available. Please visit the Pilz eShop(https://www.pilz.com/en-INT/eshop) to check for the fixed version.
Only use project files from trustworthy sources.
Protect project files against modification by unauthorized users.
Limit network access to legitimate connections by using a firewall or similar measures. Usepassword protection on the online project.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 05.12.2023 08:06 | Initial revision. |