PT-2022-20740 · Magicpin · Magicpin

Published

2022-06-14

Updated

2022-06-27

CVE-2022-31447

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Magicpin version 3.4

Description An XML external entity (XXE) injection vulnerability allows attackers to access sensitive database information via a crafted SVG file.

Recommendations For Magicpin version 3.4, update to a version that fixes the XML external entity injection vulnerability to prevent attackers from accessing sensitive database information. As a temporary workaround, consider restricting the processing of SVG files to minimize the risk of exploitation.

Exploit

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2022-31447

PT-2022-20740 · Magicpin · Magicpin

CVE-2022-31447

Weakness Enumeration

Related Identifiers

Affected Products

References · 6