XML External Entity Vulnerability in Cisco Secure Access Control Server
CVE-2018-0207

3.3LOW

Key Information:

Vendor
Cisco
Status
Cisco Secure Access Control Server
Vendor
CVE Published:
8 March 2018

Summary

A vulnerability exists in the web-based user interface of the Cisco Secure Access Control Server before version 5.8 patch 9. This issue arises from improper handling of XML External Entities (XXEs) during XML file parsing. An unauthenticated remote attacker can exploit this vulnerability by persuading the system administrator to import a specifically crafted XML file, potentially allowing unauthorized read access to sensitive information within the system.

Affected Version(s)

Cisco Secure Access Control Server Cisco Secure Access Control Server

References

https://tools.cisco.com/security/center/content/CiscoSecu...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1040470
vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/103343
vdb-entryx_refsource_BID

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.