CVE-2016-7460XML External Entity (XXE) Injection in Vmware Vrealize Automation

CWE-611XML External Entity (XXE) Injection3 documents3 sources
Severity
9.1CRITICALNVD
EPSS
2.0%
top 16.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Vmware Vrealize Automation
Timeline
PublishedDec 29
Latest updateMay 17

Description

The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages1 packages

NVDvmware/vrealize_automation11 versions+10

🔴Vulnerability Details

2
GHSA
GHSA-mhmr-f673-jqv8: The Single Sign-On feature in VMware vCenter Server 52022-05-17
CVEList
CVE-2016-7460: The Single Sign-On feature in VMware vCenter Server 52016-12-29
CVE-2016-7460 — XML External Entity (XXE) Injection | cvebase