XML External Entity Vulnerability in mxGraph Product by JGraph
CVE-2017-18197

9.8CRITICAL

Key Information:

Vendor: Jgraph
Status: Mxgraph
Vendor: CVE Published:; 24 February 2018

What is CVE-2017-18197?

The mxGraph library prior to version 3.7.6 is susceptible to XML External Entity (XXE) attacks due to a misconfiguration in the SAXParserFactory instance within the convert() method of the mxGraphViewImageReader.java file. This vulnerability could allow malicious XML input to exploit the system, potentially leading to disclosure of sensitive information or further exploitation of the vulnerable application.

References

https://github.com/jgraph/mxgraph/issues/124

x_refsource_CONFIRM

https://lists.debian.org/debian-lts-announce/2018/03/msg0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2018
Vulnerability Reserved
Feb 23, 2018

CVE-2017-18197 Data

JSON

Jgraph

What is CVE-2017-18197?

References

CVSS V3.1

Timeline