Article - CS307479
Potential for Inadvertent Information Exposure in the Rich Text Editor Spell Check plugin in Windchill / FlexPLM
Modified: 03-Sep-2024
Applies To
- FlexPLM 11.0 F000 to 11.1 M020
- Windchill PDMLink 11.0 F000 to 11.2.0.0
- Windchill QMS 11.0 F000 to 11.2.0.0
- Windchill MPMLink 11.0 F000 to 11.2.0.0
- Pro/INTRALINK 8.x + 11.0 to 11.2
Description
CVSS: 8.9
3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H
CWE 200: Information Exposure
PTC has no knowledge, or any reason to believe, that there has been a breach of information but is providing this update to enable customers to assess their own usage of the Spell Check feature.
3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H
CWE 200: Information Exposure
PTC has no knowledge, or any reason to believe, that there has been a breach of information but is providing this update to enable customers to assess their own usage of the Spell Check feature.
- PTC strongly recommends that all Windchill and FlexPLM customers update their deployments to remove the Spell Check plugin as soon as possible.
- The Spell Check plug in is used in selective text fields in Windchill / FlexPLM such as change object comment fields.
- There is a patch available to remove the Spell Check plug in for all supported versions of Windchill / FlexPLM.
- Our plan is to reintroduce comparable functionality in the fall of 2019.
- Windchill / FlexPLM customers starting with Windchill 11.0 should be aware that the Rich Text Editor Spell Check plugin sends text selected for a spell check to an external third-party web service.
- This means that PTC cannot warrant or guarantee anything about the spell check services, including the security of the service, the retention or storage of the data sent to the service, or the possible dissemination or reuse of the data.
- While the plugin presents a security risk, the level of risk will vary based on:
- Whether or not their users use the Spell Check functionality
- The information entered into the UI pages that use the Rich Text Editor by the customer's users
- The customer's classification of what is considered sensitive information
- Customers that use HTTP instead of HTTPS are at risk of a Man-In-The-Middle attack obtaining the data in transit to the third-party service
- Details on the Spell Check plugin:
- The Spell Check plugin can provide either Spell Check As You Type (SCAYT), or an on-demand Check Spelling of the contents of the field
- The Spell Check plugin will only send text data from the Rich Text field to the service when one of these two options are selected
- No CAD files or business objects are exposed or sent as part of the spell check
- Neither of these options are enabled by default
- Neither of these options are 'sticky', they must be re-selected for each instance of the Rich Text Editor, each time a page is loaded in the Windchill UI
- The Rich Text Editor with the Spell Check plugin is only used in the following UI Pages and Fields:
| Product | Page | Field |
| Windchill PDMLink | New / Edit Change Request | Description |
| Proposed Solution | ||
| New / Edit Problem Report | Description | |
| New / Edit Change Notice | Description | |
| New / Edit Change Task | Description | |
| New / Edit Design Review | Description | |
| New / Edit Variance | Description | |
| Reason | ||
| E-Mail Document | Additional Message Text | |
| Windchill QMS | New / Edit Audit | Audit Criteria -> Reason |
| Windchill MPMLink | New / Edit Standard Control Characteristics | Long Description |
| FlexPLM | E-Mail Page | Message Body |
This is a printer-friendly version of Article 307479 and may be out of date. For the latest version click CS307479