CVE-2018-1000836

Опубликовано: 20 дек. 2018

Источник: nvd

CVSS3: 9

CVSS2: 6.8

EPSS Низкий

Описание

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.

Ссылки

https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM/
Third Party Advisory
https://github.com/Bedework/bw-calendar-engine/issues/3
Third Party Advisory
https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM/
Third Party Advisory
https://github.com/Bedework/bw-calendar-engine/issues/3
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apereo:bw-calendar-engine:*:*:*:*:*:*:*:*

Версия до 3.12.0 (включая)

EPSS

Процентиль: 52%

0.00292

Низкий

9 Critical

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-611

Связанные уязвимости

GHSA-xmvg-w4f9-99r7