Xovis Security Bulletin 2018-002

Description

Xovis PC-series sensors firmware through 3.6.0 allow XXE.

Vulnerability Details

The PC-series sensor firmware is vulnerable to information disclosure via XXE.

Affected Products and Versions

All PC-series sensor firmware versions up to 3.6.0.

Remediation/Fixes

Apply the PC-series sensor firmware 3.7.0 or newer.

Workarounds and Mitigations

An attacker must already have admin access to exploit this issue.

References

• MITRE: CVE-2018-11719
• CVSS: 8.7

Acknowledgements

Xovis would like to thank Ayushman Dutta for responsibly reporting this vulnerability to protect our customers.

History

• 2018-08-29: CVE publication
• 2018-07-04: Fix released, notification of customers
• 2018-06-04: CVE ID assigned
• 2018-05-23: Vulnerability reported