PT-2015-4542 · Schneider Electric+2 · Ecostruxure Data Center Expert+2

Kevin Schaller

Published

2015-03-18

Updated

2024-10-18

CVE-2015-0250

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:P

Name of the Vulnerable Software and Affected Versions Apache Batik versions 1.x before 1.8

Description The issue is related to an XML external entity (XXE) vulnerability in the SVG to PNG and JPG conversion classes. This allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file. There is also a mention of a similar issue in Schneider Electric EcoStruxure Data Center Expert, related to XML External Entity Processing Information Disclosure.

Recommendations For Apache Batik versions 1.x before 1.8, update to version 1.8 or later to resolve the issue. At the moment, there is no information about a newer version that contains a fix for the Schneider Electric EcoStruxure Data Center Expert XML External Entity Processing Information Disclosure Vulnerability.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2015-0250

DLA-182-1

DSA-3205-1

GHSA-WFW6-MMMP-87XM

MGASA-2015-0138

USN-2548-1

ZDI-24-1420

Affected Products

Apache Batik

Ecostruxure Data Center Expert

Ubuntu

PT-2015-4542 · Schneider Electric+2 · Ecostruxure Data Center Expert+2

CVE-2015-0250

Weakness Enumeration

Related Identifiers

Affected Products

References · 33