Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-4463 — XML External Entity (XXE) Injection in IBM Maximo Asset Management

CWE-611 — XML External Entity (XXE) Injection5 documents5 sources

Severity

8.2HIGHNVD

EPSS

85.8%

top 0.62%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

IBM Maximo Asset Management

Timeline

PublishedJul 29

Latest updateMay 24

Description

IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181484.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:LExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

▶CVEListV5ibm/maximo_asset_management7.6.0.1, 7.6.0.2+1

▶NVDibm/maximo_asset_management7.6.0.1, 7.6.0.2+1

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-mh5x-6mg7-gjp9: IBM Maximo Asset Management 7↗2022-05-24

▶

CVEList

CVE-2020-4463: IBM Maximo Asset Management 7↗2020-07-29

▶

VulnCheck

IBM maximo_asset_management Improper Restriction of XML External Entity Reference↗2020

▶

💥Exploits & PoCs

Nuclei

IBM Maximo Asset Management Information Disclosure - XML External Entity Injection

▶