Статья - CS291004

Three Security Vulnerabilities found in ThingWorx Platform 6.5 - 8.2

Modified: 06-Aug-2021   

Относится к

  • ThingWorx Platform 6.5 F000 to 8.2 SP3
  • ThingWorx Edge SDK 6.0 to 6.1.0
  • Windchill Modeler (formerly Integrity Modeler) 8.4 to 8.5
  • Servigistics Connected Field Service 6.5 to 7.2.1
  • ThingWorx Manufacturing Apps Family 8.0.0 to 8.3.0
  • ThingWorx Navigate 1.0 to 1.6.0
  • Vuforia Studio 8.0.0 to 8.2.3
  • ThingWorx Kepware Server (formerly ThingWorx Industrial Connectivity) 8.0 to 8.2
  • PTC Navigate Manage Traces Lifecycle Manager Extension
  • Flex PLM Tech Pack Connect App


  • Three Security Vulnerabilities found in ThingWorx Platform 6.5 - 8.2
  • Problem Types:
    • Password hash exposure to privileged users
    • Hardcoded encryption key
    • Reflected XSS in SQUEAL search function
Issue NameCVE #CVSS ScoreCWESupport Details
Password Hash ExposureCVE-2018-172166.6CWE-522: Insufficiently Protected Credentialshttps://support.ptc.com/view?im_dbkey=174792
Hardcoded KeyCVE-2018-172178.8CWE-321: Use of Hard-coded Cryptographic Keyhttps://support.ptc.com/view?im_dbkey=174791
Reflected XSS in SQUEALCVE-2018-172186.5CWE-70: Cross-site scriptinghttps://support.ptc.com/view?im_dbkey=174793

PTC would like to thank Matteo Tomaselli from the SEC Consult Vulnerability Lab for responsibly reporting the identified issues and working with PTC to address them

SEC Consult's Advisory: https://r.sec-consult.com/ptc

Это PDF-версия статьи CS291004, которая может быть устаревшей. Для последней версии нажмите https://www.ptc.com/ru/support/article/CS291004