CVE-2019-16188

Name of the Vulnerable Software and Affected Versions HCL AppScan Source versions prior to 9.03.13

Description The issue allows for XML External Entity (XXE) attacks, which can lead to information disclosure and denial of service attacks. An attacker can send a specially crafted .ozasmt file to a victim, and when the victim imports this file, the content of any local file (accessible to the victim) can be exfiltrated to a remote listener controlled by the attacker. This is due to the product not disabling external XML Entity Processing.

Recommendations For versions prior to 9.03.13, update to version 9.03.13 or later to resolve the issue. As a temporary workaround, consider disabling the import of .ozasmt files until a patch is applied. Restrict access to sensitive files and directories to minimize the risk of information disclosure.