Unauthenticated Blind XXE Vulnerability in Lumis Experience Platform
CVE-2021-27931
9.1CRITICAL
What is CVE-2021-27931?
The Lumis Experience Platform before version 10.0.0 is susceptible to an unauthenticated blind XML External Entity (XXE) injection vulnerability. This security flaw allows an attacker to craft a malicious API request targeting the PageControllerXml.jsp endpoint. By exploiting this vulnerability, one can read sensitive local server files or potentially cause a denial of service, putting user data and system integrity at risk.
References
EPSS Score
84% chance of being exploited in the next 30 days.
CVSS V3.1
Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved