Описание
An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.
Ссылки
- Third Party AdvisoryVDB Entry
- Mailing ListThird Party Advisory
- ExploitThird Party Advisory
- Third Party AdvisoryVDB Entry
- Mailing ListThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:carrier:automatedlogic_webctrl:6.0:*:*:*:*:*:*:*
cpe:2.3:a:carrier:automatedlogic_webctrl:6.1:*:*:*:*:*:*:*
cpe:2.3:a:carrier:automatedlogic_webctrl:6.5:*:*:*:*:*:*:*
EPSS
Процентиль: 81%
0.01471
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-611
Связанные уязвимости
CVSS3: 7.5
github
больше 3 лет назад
An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.
EPSS
Процентиль: 81%
0.01471
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-611