Article - CS291004
Three Security Vulnerabilities found in ThingWorx Platform 6.5 - 8.2
Modified: 28-Sep-2018
Applies To
- ThingWorx Platform 6.5 F000 to 8.2 SP3
- Windchill Navigate (formerly ThingWorx Navigate) 1.0 to 1.6.0
- ThingWorx Manufacturing Apps Family 8.0.0 to 8.3.0
- Vuforia Studio 8.0.0 to 8.2.3
- Servigistics Connected Field Service 6.5 to 7.2.1
- ThingWorx Edge SDK 6.0 to 6.1.0
- PTC Modeler 8.4 to 8.5
- ThingWorx Kepware Server 8.0 to 8.2
- PTC Navigate Manage Traces Lifecycle Manager Extension
- Flex PLM Tech Pack Connect App
Description
- Three Security Vulnerabilities found in ThingWorx Platform 6.5 - 8.2
- Problem Types:
- Password hash exposure to privileged users
- Hardcoded encryption key
- Reflected XSS in SQUEAL search function
| Issue Name | CVE # | CVSS Score | CWE | Support Details |
|---|---|---|---|---|
| Password Hash Exposure | CVE-2018-17216 | 6.6 | CWE-522: Insufficiently Protected Credentials | https://support.ptc.com/view?im_dbkey=174792 |
| Hardcoded Key | CVE-2018-17217 | 8.8 | CWE-321: Use of Hard-coded Cryptographic Key | https://support.ptc.com/view?im_dbkey=174791 |
| Reflected XSS in SQUEAL | CVE-2018-17218 | 6.5 | CWE-70: Cross-site scripting | https://support.ptc.com/view?im_dbkey=174793 |
PTC would like to thank Matteo Tomaselli from the SEC Consult Vulnerability Lab for responsibly reporting the identified issues and working with PTC to address them
SEC Consult's Advisory: https://r.sec-consult.com/ptc
This is a printer-friendly version of Article 291004 and may be out of date. For the latest version click CS291004