Vulnerability Description
A zip slip vulnerability in XINJE XD/E Series PLC Program Tool up to version v3.5.1 can provide an attacker with arbitrary file write privilege when opening a specially-crafted project file. This vulnerability can be triggered by manually opening an infected project file, or by initiating an upload program request from an infected Xinje PLC. This can result in remote code execution, information disclosure and denial of service of the system running the XINJE XD/E Series PLC Program Tool.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xinje | Xd\/E Series Plc Program Tool | <= 3.5.1 |
Related Weaknesses (CWE)
References
- https://claroty.com/2022/05/11/blog-research-from-project-file-to-code-executionExploitThird Party Advisory
- https://claroty.com/2022/05/11/blog-research-from-project-file-to-code-executionExploitThird Party Advisory
FAQ
What is CVE-2021-34605?
CVE-2021-34605 is a vulnerability with a CVSS score of 7.3 (HIGH). A zip slip vulnerability in XINJE XD/E Series PLC Program Tool up to version v3.5.1 can provide an attacker with arbitrary file write privilege when opening a specially-crafted project file. This vuln...
How severe is CVE-2021-34605?
CVE-2021-34605 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-34605?
Check the references section above for vendor advisories and patch information. Affected products include: Xinje Xd\/E Series Plc Program Tool.