Improper restriction of XML external entity reference (XXE) vulnerability in OMRON NB-Designer

Overview

OMRON NB-Designer contains an improper restriction of XML external entity reference (XXE) vulnerability.

Description

NB-Designer provided by OMRON Corporation contains an improper restriction of XML external entity reference (XXE) vulnerability (CWE-611, CVE-2024-12298).

Impact

If a user opens a specially crafted project file created by an attacker, sensitive information in the system where NB-Designer is installed may be disclosed.

Solution

Update the software
Update the software to the version listed below which contains a fix for this vulnerability according to the information provided by the developer.

• NB-Designer Ver.1.64 or later

 Regarding how to obtain a fixed version, refer to the information provided by the developer.

Credit

Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.