XML External Entity Flaw in Fess by Codelibs
CVE-2018-1000822

10CRITICAL

Key Information:

Vendor

Codelibs

Status
Fess
Vendor
CVE Published:
20 December 2018

What is CVE-2018-1000822?

Codelibs Fess contains an XML External Entity (XXE) vulnerability in its GSA XML file parser. Attackers can exploit this flaw by crafting malicious GSA XML files, leading to exposure of sensitive information, denial of service, and the ability to perform server-side request forgery (SSRF) and port scanning. This vulnerability has been addressed in updates after commit faa265b, underscoring the importance of using the latest version to maintain secure operations.

References

https://0dd.zone/2018/10/27/fess-XXE/
x_refsource_MISC
https://github.com/codelibs/fess/issues/1851
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.