CVE-2021-27184

Name of the Vulnerable Software and Affected Versions: Pelco Digital Sentry Server version 7.18.72.11464

Description: The issue is related to an XML External Entity vulnerability, which can be exploited via the DTD parameter entities technique. This results in the disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file in the %APPDATA%Pelco directory when DSControlPoint.exe is executed.

Recommendations: For Pelco Digital Sentry Server version 7.18.72.11464, as a temporary workaround, consider disabling the execution of DSControlPoint.exe until a patch is available. Restrict access to the ControlPointCacheShare.xml file to minimize the risk of exploitation. Avoid using unsanitized input when parsing XML files to prevent triggering the vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.