PT-2018-9413 · Ventrian · Ventrian News-Articles

Published

2018-06-26

Updated

2018-08-20

CVE-2018-1000515

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Ventrian News-Articles version NewsArticles.00.09.11

Description The issue is related to a XML External Entity (XXE) vulnerability in the News-Articles/API/MetaWebLog/Handler.ashx.vb file. This can allow an attacker to read any file on the server or potentially use an smbrelay attack to access the server.

Recommendations For Ventrian News-Articles version NewsArticles.00.09.11, consider disabling the Handler.ashx.vb file or restricting access to the /News-Articles/API/MetaWebLog/ endpoint until a patch is available. Additionally, restrict SMB relay attacks by implementing proper network segmentation and access controls.

Exploit

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2018-1000515

Affected Products

Ventrian News-Articles

PT-2018-9413 · Ventrian · Ventrian News-Articles

CVE-2018-1000515

Weakness Enumeration

Related Identifiers

Affected Products

References · 3