Soluzione # - CS291004

Three Security Vulnerabilities found in ThingWorx Platform 6.5 - 8.2

Modifica: 06-Aug-2021   

Si applica a

  • ThingWorx Platform 6.5 F000 to 8.2 SP3
  • ThingWorx Edge SDK 6.0 to 6.1.0
  • Windchill Modeler (formerly Integrity Modeler) 8.4 to 8.5
  • Servigistics Connected Field Service 6.5 to 7.2.1
  • ThingWorx Manufacturing Apps Family 8.0.0 to 8.3.0
  • ThingWorx Navigate 1.0 to 1.6.0
  • Vuforia Studio 8.0.0 to 8.2.3
  • ThingWorx Kepware Server (formerly ThingWorx Industrial Connectivity) 8.0 to 8.2
  • PTC Navigate Manage Traces Lifecycle Manager Extension
  • Flex PLM Tech Pack Connect App


  • Three Security Vulnerabilities found in ThingWorx Platform 6.5 - 8.2
  • Problem Types:
    • Password hash exposure to privileged users
    • Hardcoded encryption key
    • Reflected XSS in SQUEAL search function
Issue NameCVE #CVSS ScoreCWESupport Details
Password Hash ExposureCVE-2018-172166.6CWE-522: Insufficiently Protected Credentials
Hardcoded KeyCVE-2018-172178.8CWE-321: Use of Hard-coded Cryptographic Key
Reflected XSS in SQUEALCVE-2018-172186.5CWE-70: Cross-site scripting

PTC would like to thank Matteo Tomaselli from the SEC Consult Vulnerability Lab for responsibly reporting the identified issues and working with PTC to address them

SEC Consult's Advisory:

This is a PDF version of Article CS291004 and may be out of date. For the latest version