CVE-2018-10613
published 2018-06-04CVE-2018-10613: Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseNET…
PriorityP352high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
18.28%
96.9th percentile
Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ge | mds_pulsenet | <= 3.2.1 | — |
| ge | mds_pulsenet_and_mds_pulsenet_enterprise | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vpj9-g8wm-99v5: Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseN
ghsa_unreviewed·2022-05-13
CVE-2018-10613 [HIGH] CWE-611 GHSA-vpj9-g8wm-99v5: Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseN
Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior.
CISA ICS
GE MDS PulseNET and MDS PulseNET Enterprise
cisa_ics·2018-05-31·CVSS 9.8
[CRITICAL] GE MDS PulseNET and MDS PulseNET Enterprise
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
GE MDS PulseNET and MDS PulseNET Enterprise
Last RevisedMay 31, 2018
Alert CodeICSA-18-151-02
## 1. EXECUTIVE SUMMARY
-
CVSS v3 7.3
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: GE
- Equipment: MDS PulseNET and MDS PulseNET Enterprise
- Vulnerabilities: Improper Authentication, Improper Restriction of XML External Entity Reference, Relative Path Traversal
## 2. RISK EVALUATION
Exploitation of these vulnerabilities may allow elevation of privilege and exfiltration of information on the host platform.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCT
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.gegridsolutions.com/app/DownloadFile.aspx?prod=pulsenet&type=9&file=1http://www.securityfocus.com/bid/104377https://ics-cert.us-cert.gov/advisories/ICSA-18-151-02http://www.gegridsolutions.com/app/DownloadFile.aspx?prod=pulsenet&type=9&file=1http://www.securityfocus.com/bid/104377https://ics-cert.us-cert.gov/advisories/ICSA-18-151-02
2018-06-04
Published