XXE Vulnerability in WeChat Pay Java SDK Affects Multiple Versions
CVE-2018-13439

7.5HIGH

Key Information:

Vendor: Tencent
Status: Wechat Pay
Vendor: CVE Published:; 8 July 2018

What is CVE-2018-13439?

The WeChat Pay Java SDK is susceptible to XML External Entity (XXE) attacks due to improper handling of XML input. Specifically, the WXPayUtil component can be exploited by attackers through malicious merchant notification URLs. Successful exploitation may allow remote attackers to gain unauthorized access to sensitive information or perform other malicious actions. Organizations utilizing this SDK should apply appropriate mitigations to protect their systems.

References

https://packetstormsecurity.com/files/148390/WeChat-Pay-S...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 8, 2018
Vulnerability Reserved
Jul 8, 2018

Tencent

What is CVE-2018-13439?

References

CVSS V3.1

Timeline