CVE-2019-12711XML External Entity (XXE) Injection in Cisco Unified Communications Manager

CWE-611XML External Entity (XXE) Injection4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.5%
top 33.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Unified Communications ManagerCisco Unified Communications Manager
Timeline
PublishedOct 2
Latest updateMay 24

Description

A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by sending malicious requests to an affected system that contain references in XML entities. A successful

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

CVEListV5cisco/cisco_unified_communications_managerunspecifiedn/a

🔴Vulnerability Details

2
GHSA
GHSA-8973-52qv-v8p9: A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition2022-05-24
CVEList
Cisco Unified Communications Manager XML External Expansion Vulnerability2019-10-02

📋Vendor Advisories

1
Cisco
Cisco Unified Communications Manager XML External Expansion Vulnerability2019-10-02
CVE-2019-12711 — XML External Entity (XXE) Injection | cvebase