vendor:
N/A
by:
N/A
6,1
CVSS
MEDIUM
XML External Entity Injection (XXE)
611
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: CVE-2017-5124
CPE: N/A
Metasploit:
https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2017-5124/, https://www.rapid7.com/db/vulnerabilities/google-chrome-cve-2017-5124/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2017-5124/, https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2017-5124/, https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2017-5124/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2017-5124/, https://www.rapid7.com/db/vulnerabilities/debian-cve-2017-5124/
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2017
XML External Entity Injection (XXE) in MHT File Processing
XML External Entity Injection (XXE) vulnerability in MHT file processing allows an attacker to read arbitrary files on the server, or perform remote requests, or even perform server-side request forgery (SSRF) attacks. This vulnerability is caused by the application's failure to properly sanitize user-supplied input before using it to parse an XML document. An attacker can exploit this vulnerability by crafting a malicious MHT file and sending it to the application.
Mitigation:
The application should validate user-supplied input and sanitize it before using it to parse an XML document. The application should also disable external entity resolution and entity expansion.
