Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-17762

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-29 Aug, 2018 | 19:00
Updated At-05 Aug, 2024 | 20:59
Rejected At-
Credits

XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:29 Aug, 2018 | 19:00
Updated At:05 Aug, 2024 | 20:59
Rejected At:
▼CVE Numbering Authority (CNA)

XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gist.github.com/jonaslejon/5f92779848360a1a1e676af0795bd9aa
x_refsource_MISC
https://kryptera.se/sarbarhet-i-episerver/
x_refsource_MISC
Hyperlink: https://gist.github.com/jonaslejon/5f92779848360a1a1e676af0795bd9aa
Resource:
x_refsource_MISC
Hyperlink: https://kryptera.se/sarbarhet-i-episerver/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gist.github.com/jonaslejon/5f92779848360a1a1e676af0795bd9aa
x_refsource_MISC
x_transferred
https://kryptera.se/sarbarhet-i-episerver/
x_refsource_MISC
x_transferred
Hyperlink: https://gist.github.com/jonaslejon/5f92779848360a1a1e676af0795bd9aa
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://kryptera.se/sarbarhet-i-episerver/
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:29 Aug, 2018 | 19:29
Updated At:08 Nov, 2018 | 18:51

XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.07.5HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
Type: Primary
Version: 3.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CPE Matches
episerver
episerver
>>episerver>>Versions up to 7(inclusive)
cpe:2.3:a:episerver:episerver:*:*:*:*:*:*:*:*
episerver
episerver
>>episerver>>7
cpe:2.3:a:episerver:episerver:7:*:*:*:*:*:*:*
episerver
episerver
>>episerver>>7
cpe:2.3:a:episerver:episerver:7:patch_1:*:*:*:*:*:*
episerver
episerver
>>episerver>>7
cpe:2.3:a:episerver:episerver:7:patch_2:*:*:*:*:*:*
episerver
episerver
>>episerver>>7
cpe:2.3:a:episerver:episerver:7:patch_3:*:*:*:*:*:*
episerver
episerver
>>episerver>>7
cpe:2.3:a:episerver:episerver:7:patch_4:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-611Primarynvd@nist.gov
CWE ID: CWE-611
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://gist.github.com/jonaslejon/5f92779848360a1a1e676af0795bd9aacve@mitre.org
Exploit
Third Party Advisory
https://kryptera.se/sarbarhet-i-episerver/cve@mitre.org
Exploit
Mitigation
Third Party Advisory
Hyperlink: https://gist.github.com/jonaslejon/5f92779848360a1a1e676af0795bd9aa
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://kryptera.se/sarbarhet-i-episerver/
Source: cve@mitre.org
Resource:
Exploit
Mitigation
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

117Records found
CVE-2019-7847
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-7.5||HIGH
EPSS-1.15% / 77.66%
||
7 Day CHG~0.00%
Published-18 Jul, 2019 | 21:44
Updated-04 Aug, 2024 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user.

Action-Not Available
Vendor-n/aAdobe Inc.Linux Kernel Organization, IncMicrosoft Corporation
Product-windowscampaignlinux_kernelAdobe Campaign
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2017-14101
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 64.90%
||
7 Day CHG~0.00%
Published-15 Dec, 2017 | 18:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change Healthcare company. An unauthenticated user supplying a modified HTTP SOAP request to the vulnerable service allows for arbitrary file read access to the local file system as well as the transmittal of the application service's account hashed credentials to a remote attacker.

Action-Not Available
Vendor-changehealthcaren/a
Product-conserus_image_repositoryn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2012-4399
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-24.92% / 95.94%
||
7 Day CHG~0.00%
Published-09 Oct, 2012 | 23:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Action-Not Available
Vendor-cakefoundationn/a
Product-cakephpn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2012-2656
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.04% / 76.51%
||
7 Day CHG~0.00%
Published-18 Dec, 2019 | 18:16
Updated-06 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML eXternal Entity (XXE) issue exists in Restlet 1.1.10 in an endpoint using XML transport, which lets a remote attacker obtain sensitive information.

Action-Not Available
Vendor-talendwww.restlet.org/
Product-restletRestlet
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2012-1102
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.29% / 52.02%
||
7 Day CHG~0.00%
Published-09 Jul, 2021 | 10:42
Updated-06 Aug, 2024 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was discovered that the XML::Atom Perl module before version 0.39 did not disable external entities when parsing XML from potentially untrusted sources. This may allow attackers to gain read access to otherwise protected resources, depending on how the library is used.

Action-Not Available
Vendor-xml\n/a
Product-\perl-xml-atom
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2011-3600
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-3.91% / 87.84%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 00:07
Updated-06 Aug, 2024 | 23:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.

Action-Not Available
Vendor-OFBizThe Apache Software Foundation
Product-ofbizOFBiz
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-12924
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.14% / 34.16%
||
7 Day CHG+0.02%
Published-08 Jul, 2019 | 21:00
Updated-04 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users).

Action-Not Available
Vendor-mailenablen/a
Product-mailenablen/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2019-13358
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-41.68% / 97.33%
||
7 Day CHG~0.00%
Published-05 Jul, 2019 | 20:26
Updated-04 Aug, 2024 | 23:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.

Action-Not Available
Vendor-opencatsn/a
Product-opencatsn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-31447
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.43% / 61.83%
||
7 Day CHG~0.00%
Published-14 Jun, 2022 | 02:46
Updated-03 Aug, 2024 | 07:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity (XXE) injection vulnerability in Magicpin v3.4 allows attackers to access sensitive database information via a crafted SVG file.

Action-Not Available
Vendor-magicpinn/a
Product-magicpinn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-10718
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.24% / 47.26%
||
7 Day CHG~0.00%
Published-21 Jun, 2019 | 18:23
Updated-04 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs.

Action-Not Available
Vendor-dotnetblogenginen/a
Product-blogengine.netn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-0188
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-2.24% / 83.92%
||
7 Day CHG~0.00%
Published-28 May, 2019 | 18:10
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.

Action-Not Available
Vendor-The Apache Software FoundationOracle Corporation
Product-enterprise_repositorycamelflexcube_private_bankingenterprise_data_qualityenterprise_manager_base_platformApache Camel
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20157
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.29%
||
7 Day CHG~0.00%
Published-14 Dec, 2018 | 23:00
Updated-05 Aug, 2024 | 11:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.

Action-Not Available
Vendor-openrefinen/a
Product-openrefinen/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20000
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.28% / 50.97%
||
7 Day CHG~0.00%
Published-10 Dec, 2018 | 02:00
Updated-16 Sep, 2024 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java.

Action-Not Available
Vendor-apereon/a
Product-bw-webdavn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-8082
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-7.5||HIGH
EPSS-0.95% / 75.48%
||
7 Day CHG~0.00%
Published-25 Oct, 2019 | 14:50
Updated-04 Aug, 2024 | 21:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerAdobe Experience Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-6179
Matching Score-4
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-4
Assigner-Lenovo Group Ltd.
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 51.45%
||
7 Day CHG~0.00%
Published-03 Sep, 2019 | 18:50
Updated-16 Sep, 2024 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure.

Action-Not Available
Vendor-Lenovo Group Limited
Product-xclarity_administratorxclarity_integratorXClarity Administrator (LXCA)XClarity Integrator (LXCI) for VMware vCenterXClarity Integrator (LXCI) for Microsoft System Center
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-29620
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.96% / 75.59%
||
7 Day CHG~0.00%
Published-23 Jun, 2021 | 17:35
Updated-03 Aug, 2024 | 22:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XXE vulnerability on Launch import with externally-defined DTD file

Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery. This will be resolved in the 5.4.0 release.

Action-Not Available
Vendor-reportportalreportportal
Product-service-apireportportal
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-6590
Matching Score-4
Assigner-Forcepoint
ShareView Details
Matching Score-4
Assigner-Forcepoint
CVSS Score-7.5||HIGH
EPSS-0.25% / 47.99%
||
7 Day CHG~0.00%
Published-08 Apr, 2021 | 21:32
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Forcepoint Web Security Content Gateway versions prior to 8.5.4 improperly process XML input, leading to information disclosure.

Action-Not Available
Vendor-forcepointn/a
Product-data_loss_preventionweb_security_content_gatewayemail_securityForcepoint Web Security Content Gateway
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found