PT-2025-34950 · Sangfor · Dc Management System+2
Published
2025-08-27
·
Updated
2025-08-28
·
CVE-2023-7307
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
Sangfor Behavior Management System (affected versions not specified)
Description:
The Sangfor Behavior Management System (also referred to as DC Management System) contains an XML external entity (XXE) injection vulnerability in the
/src/sangforindex endpoint. A remote, unauthenticated attacker can submit crafted XML data containing external entity definitions. This improper configuration of the XML parser allows resolution of external entities without restriction, potentially leading to disclosure of internal files or server-side request forgery (SSRF). The product is now integrated into their IAM (Internet Access Management) platform.Recommendations:
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dc Management System
Iam
Sangfor Behavior Management System