CVE-2021-37425

Опубликовано: 10 авг. 2021

Источник: nvd

CVSS3: 9.1

CVSS2: 6.4

EPSS Низкий

Описание

Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.

Ссылки

http://seclists.org/fulldisclosure/2021/Aug/12
Exploit
Mailing List
Third Party Advisory
https://www.altova.com/mobiletogether
Vendor Advisory
https://www.redteam-pentesting.de/advisories/rt-sa-2021-002
Exploit
Third Party Advisory
https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses
Third Party Advisory
http://seclists.org/fulldisclosure/2021/Aug/12
Exploit
Mailing List
Third Party Advisory
https://www.altova.com/mobiletogether
Vendor Advisory
https://www.redteam-pentesting.de/advisories/rt-sa-2021-002
Exploit
Third Party Advisory
https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:altova:mobiletogether_server:*:*:*:*:*:*:*:*

Версия от 7.0 (включая) до 7.3 (исключая)

cpe:2.3:a:altova:mobiletogether_server:7.3:-:*:*:*:*:*:*

EPSS

Процентиль: 92%

0.08684

Низкий

9.1 Critical

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-611

Связанные уязвимости

GHSA-mwxw-r5fq-rx8v

github

больше 3 лет назад