XML External Entity Injection Vulnerability in Dell EMC Data Protection Advisor
CVE-2018-11048

8.1HIGH

Key Information:

Vendor

Dell
Status
Data Protection Advisor
Integrated Data Protection Appliance
Vendor
CVE Published:
10 August 2018

What is CVE-2018-11048?

An XML External Entity Injection vulnerability exists in the REST API of Dell EMC Data Protection Advisor and Integrated Data Protection Appliance, affecting several versions. This vulnerability allows an authenticated remote attacker to access sensitive system files on the server or trigger a denial of service condition by sending specially crafted Document Type Definitions (DTDs) within an XML request. Proper validation and sanitization of XML input is essential to mitigate the associated risks.

Affected Version(s)

Data Protection Advisor 6.2

Data Protection Advisor 6.3

Data Protection Advisor 6.4

References

http://www.securityfocus.com/bid/105130
vdb-entryx_refsource_BID
http://seclists.org/fulldisclosure/2018/Aug/5
mailing-listx_refsource_FULLDISC
http://www.securitytracker.com/id/1041417
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.