|2017-05-02||Other||Schneider Electric||Andrey Zhukov from USSC reported this vulnerability and has tested the patch.
# Schneider Electric Wonderware Historian Client
### VULNERABLE VENDOR
### VULNERABLE PRODUCT
Wonderware Historian Client
Andrey Zhukov from USSC reported this vulnerability and has tested the patch.
### AFFECTED PRODUCTS
The following versions of Wonderware Historian Client, an analysis and reporting software, are affected:
Wonderware Historian Client 2014 R2 SP1 and prior.
Successful exploitation of this vulnerability could allow a malicious entity to cause denial of service of trend display or to disclose arbitrary files from the local file system to a malicious web site.
### VULNERABILITY OVERVIEW
IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE ('XXE') CWE-611
An improperly restricted XML parser may allow an attacker to enter malicious input through the application which could cause a denial of service or disclose file contents from a server or connected network.
CVE-2017-7907 has been assigned to this vulnerability.
A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H)
Critical Infrastructure Sector(s): Critical Manufacturing, Energy, Healthcare and Public Health, Water and Wastewater Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Paris, France
Schneider Electric recommends that users of Wonderware Historian Client 2014 R2 SP1 apply update HC_SecurityHF_10.6.13100. Users of older versions of Wonderware Historian Client are also affected and should first upgrade to Wonderware Historian Client 2014 R2 SP1 and then apply HC_SecurityHF_10.6.13100.
Users of Wonderware Historian Client can login at the following support web site to download the upgrade:
Schneider Electric has issued Security Bulletin LFSEC00000120, which contains additional information: