This is a PDF version of Article CS291004 and may be out of date. For the latest version click here
Article - CS291004

Three Security Vulnerabilities found in ThingWorx Platform 6.5 - 8.2

Created: 21-Aug-2018   |   Modified: 28-Sep-2018   

Applies To

  • ThingWorx Platform 6.5 F000 to 8.2 SP3
  • ThingWorx Edge SDK 6.0 to 6.1.0
  • Integrity Modeler 8.4 to 8.5
  • Servigistics Connected Field Service 6.5 to 7.2.1
  • ThingWorx Manufacturing Apps Family 8.0.0 to 8.3.0
  • ThingWorx Navigate 1.0 to 1.6.0
  • Vuforia Studio 8.0.0 to 8.2.3
  • ThingWorx Industrial Connectivity 8.0 to 8.2
  • PTC Navigate Manage Traces Lifecycle Manager Extension
  • Flex PLM Tech Pack Connect App

Description

  • Three Security Vulnerabilities found in ThingWorx Platform 6.5 - 8.2
  • Problem Types:
    • Password hash exposure to privileged users
    • Hardcoded encryption key
    • Reflected XSS in SQUEAL search function
 
Issue NameCVE #CVSS ScoreCWESupport Details
Password Hash ExposureCVE-2018-172166.6CWE-522: Insufficiently Protected Credentialshttps://support.ptc.com/view?im_dbkey=174792
Hardcoded KeyCVE-2018-172178.8CWE-321: Use of Hard-coded Cryptographic Keyhttps://support.ptc.com/view?im_dbkey=174791
Reflected XSS in SQUEALCVE-2018-172186.5CWE-70: Cross-site scriptinghttps://support.ptc.com/view?im_dbkey=174793

PTC would like to thank Matteo Tomaselli from the SEC Consult Vulnerability Lab for responsibly reporting the identified issues and working with PTC to address them

SEC Consult's Advisory: https://r.sec-consult.com/ptc