PT-2018-9546 · Codelib · Fess
Prodigysml
·
Published
2018-12-20
·
Updated
2019-01-08
·
CVE-2018-1000822
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
codelibs fess versions before commit faa265b
Description
The issue is related to a XML External Entity (XXE) vulnerability in the GSA XML file parser. This can lead to disclosure of confidential data, denial of service, Server-Side Request Forgery (SSRF), and port scanning. The attack is exploitable via specially crafted GSA XML files.
Recommendations
For versions before commit faa265b, update to a version after commit faa265b to resolve the issue. As a temporary workaround, consider restricting the use of the GSA XML file parser until a patch is available. Avoid using specially crafted GSA XML files in the affected parser until the issue is resolved.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fess