CVE-2018-13416

Name of the Vulnerable Software and Affected Versions Universal Media Server version 7.1.0

Description The XML parsing engine for SSDP/UPnP functionality in Universal Media Server is vulnerable to an XML External Entity Processing (XXE) attack. This allows remote, unauthenticated attackers to access arbitrary files from the filesystem with the same permission as the user account running the software, initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Recommendations For Universal Media Server version 7.1.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.