XML External Entity Vulnerability in Symantec Messaging Gateway
CVE-2018-12243

8.8HIGH

Key Information:

Vendor: Symantec Corporation
Status: Symantec Messaging Gateway
Vendor: CVE Published:; 19 September 2018

Summary

The Symantec Messaging Gateway prior to version 10.6.6 is impacted by an XML external entity (XXE) vulnerability. This issue occurs when the product's XML parser processes XML input that references external entities. Malicious actors can exploit this weakness to access sensitive files on the server by using file URI schemes or relative paths, leading to unintended file disclosures and potential system compromise.

Affected Version(s)

Symantec Messaging Gateway Prior to 10.6.6

References

https://support.symantec.com/en_US/article.SYMSA1461.html

x_refsource_CONFIRM

http://www.securityfocus.com/bid/105330

vdb-entryx_refsource_BID

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 19, 2018
Vulnerability Reserved
Jun 12, 2018