CVE-2020-14204

Name of the Vulnerable Software and Affected Versions WebFOCUS Business Intelligence version 8.0 (SP6)

Description The administration portal in the affected software allows remote attackers to read arbitrary local files or forge server-side HTTP requests via a crafted HTTP request to "/ibi apps/WFServlet.cfg" due to XML external entity injection. This issue is related to modifications in the application repository configuration.

Recommendations For WebFOCUS Business Intelligence version 8.0 (SP6), consider restricting access to the "/ibi apps/WFServlet.cfg" endpoint until a patch is available to prevent XML external entity injection attacks. Additionally, review and secure the application repository configuration to prevent unauthorized modifications.