CVE-2017-17762
published 2018-08-29CVE-2017-17762: XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request…
PriorityP277high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.65%
90.6th percentile
XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| episerver | episerver | <= 7 | — |
| episerver | episerver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/util/xmlrpc/Handler.ashx
commandPOST /util/xmlrpc/Handler.ashx HTTP/1.1
Content-Type: text/xml
Accept: */*
sigma
shodan-query: http.html:"episerver" OR http.html:"epihash"
- →Probe for CVE-2017-17762 by first issuing a GET to /util/xmlrpc/Handler.ashx and confirming the response body contains 'EPiServer' with HTTP 200, then sending a malicious XML POST with an out-of-band XXE payload to the same endpoint.
- →Exploitation confirmation: a successful out-of-band XXE is indicated by an inbound DNS interaction (interactsh/OOB callback) combined with an HTTP 200 or 500 response from the target endpoint.
- →Hunt for exposed Episerver instances using Shodan queries for 'http.html:episerver', 'http.html:epihash', or the CPE string 'cpe:2.3:a:episerver:episerver', and FOFA queries for 'body=episerver' or 'body=epihash'.
- →The attack vector is a crafted DTD embedded in an XML POST body sent to /util/xmlrpc/Handler.ashx; monitor for XML POST requests to this path containing DOCTYPE declarations with SYSTEM or ENTITY keywords as an indicator of XXE exploitation attempts.
- ·The Nuclei template uses an out-of-band (OOB/interactsh) DNS callback to confirm blind XXE; a DNS interaction alone is the confirmation signal — no direct file content is returned in-band.
- ·The exploit flow is two-step: step 1 fingerprints the host (GET + body check for 'EPiServer'), and step 2 fires the XXE payload only if step 1 succeeds. Both conditions must be met for a true positive.
- ·An HTTP 500 response on the POST is treated as a valid exploitation indicator alongside HTTP 200, so error responses should not be dismissed during detection.
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qvv4-58rx-f26c: XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML
ghsa_unreviewed·2022-05-24
CVE-2017-17762 [HIGH] CWE-611 GHSA-qvv4-58rx-f26c: XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML
XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.
VulnCheck
episerver episerver Improper Restriction of XML External Entity Reference
vulncheck·2017·CVSS 7.5
CVE-2017-17762 [HIGH] episerver episerver Improper Restriction of XML External Entity Reference
episerver episerver Improper Restriction of XML External Entity Reference
XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.
Affected: episerver episerver
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2017-17762
No detection rules found.
Nuclei
Episerver 7 - Blind XML External Entity Injection
nuclei·CVSS 7.5
CVE-2017-17762 [HIGH] Episerver 7 - Blind XML External Entity Injection
Episerver 7 - Blind XML External Entity Injection
Episerver 7 patch 4 and earlier contains an XML external entity (XXE) caused by processing crafted DTD in XML requests involving util/xmlrpc/Handler.ashx, letting remote attackers read arbitrary files, exploit requires sending malicious XML payloads.
Template:
id: CVE-2017-17762
info:
name: Episerver 7 - Blind XML External Entity Injection
author: pussycat0x
severity: high
description: |
Episerver 7 patch 4 and earlier contains an XML external entity (XXE) caused by processing crafted DTD in XML requests involving util/xmlrpc/Handler.ashx, letting remote attackers read arbitrary files, exploit requires sending malicious XML payloads.
impact: |
Remote attackers can read sensitive files from the server, leading to information disclosure.
No writeups or analysis indexed.
2018-08-29
Published
Exploited in the wild