Schneider Electric EcoStruxure Building Operation Workstation and WebStation Improper XML External Entity Handling Vulnerability

A vulnerability allowing improper restriction of XML external entity references has been identified in Schneider Electric's EcoStruxure Building Operation (EBO) Workstation and WebStation. This vulnerability, present in all 7.0.x versions prior to 7.0.3.2000 (CP1) and all 6.x versions prior to 6.0.4.14001 (CP10), could lead to unauthorized disclosure of local files, interaction within the EBO system, or denial-of-service conditions. The issue arises when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation.

Impact

Exploitation of this vulnerability could result in unauthorized access to local files, disruption of service, or unauthorized interactions within the EBO system.

Remediation

Users can upgrade to EcoStruxure Building Operation versions 7.0.3.2000 (CP1) or 6.0.4.14001 (CP10). Instructions for downloading the patch are available on the Schneider Electric MySchneider Documents Download Center.