CVE-2018-7837

Name of the Vulnerable Software and Affected Versions IIoT Monitor version 3.1.38

Description An Improper Restriction of XML External Entity Reference ('XXE') issue exists in numerous methods of the software, allowing it to resolve documents outside of the intended sphere of control. This could cause the software to embed incorrect documents into its output and expose restricted information. The vulnerability can be exploited by a remote attacker to inject incorrect documents into the output.

Recommendations For IIoT Monitor version 3.1.38, as a temporary workaround, consider disabling the XML External Entity processing in the affected methods until a patch is available. Restrict access to the EventMgmt, AccountMgmt, and RuleMgmt modules to minimize the risk of exploitation. Avoid using the getEvtPeriod, addEvent, Logout, Login, addRule, and forgotPwd functions in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.