cbcvebase.
CVE-2019-7442
published 2019-05-08

CVE-2019-7442: An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read…

PriorityP180critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
40.01%
98.4th percentile
An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system.

Affected

1 ranges
VendorProductVersion rangeFixed in
cyberarkenterprise_password_vault<= 10.7

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://example.com/PasswordVault/auth/saml/
path/PasswordVault/auth/saml/
otherSAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d
  • Detect outbound HTTP GET requests from the PVWA server to external hosts fetching .dtd files, which indicates successful XXE out-of-band data exfiltration (e.g., GET /pepe.dtd).
  • Alert on outbound HTTP GET requests from the PVWA server containing URL-encoded file content in the query string, indicating successful XXE file exfiltration via out-of-band channel.
  • The XXE payload uses a crafted DTD with a parameter entity (%sp;) loaded from an external server, followed by a secondary parameter entity (%param1;) to exfiltrate data. Detect SAMLResponse values whose base64-decoded content contains '<!DOCTYPE', '<!ENTITY', '%sp;', or '%param1;'.
  • The exploit targets the SAML authentication flow via HTTP POST with Content-Type: application/x-www-form-urlencoded to the PVWA endpoint. Inspect SAMLResponse POST parameter for XML DOCTYPE injection.
  • ·The XXE vulnerability is exploitable only when SAML authentication is enabled in the PVWA configuration. Environments not using SAML are not directly exposed via this attack vector.
  • ·The attack is unauthenticated — the malicious SAMLResponse payload is submitted to the pre-authentication SAML endpoint, meaning no valid credentials are required to trigger the XXE.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.