CVE-2018-12243 — XML External Entity (XXE) Injection in Messaging Gateway

CWE-611 — XML External Entity (XXE) Injection3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 55.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symantec Messaging Gateway Symantec Corporation Symantec Messaging Gateway

Timeline

PublishedSep 19

Latest updateMay 14

Description

The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to a XML external entity (XXE) exploit, which is a type of issue where XML input containing a reference to an external entity is processed by a weakly configured XML parser. The attack uses file URI schemes or relative paths in the system identifier to access files that should not normally be accessible.

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDsymantec/messaging_gateway< 10.6.6

▶CVEListV5symantec_corporation/symantec_messaging_gatewayPrior to 10.6.6

🔴Vulnerability Details

GHSA

GHSA-82xf-qv3c-486v: The Symantec Messaging Gateway product prior to 10↗2022-05-14

▶

CVEList

CVE-2018-12243: The Symantec Messaging Gateway product prior to 10↗2018-09-19

▶