CVE-2023-39472XML External Entity (XXE) Injection in Ignition

CWE-611XML External Entity (XXE) Injection3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.5%
top 32.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Inductiveautomation IgnitionInductive Automation Ignition
Timeline
PublishedMay 3

Description

Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the SimpleXMLReader class. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDinductiveautomation/ignition8.1.08.1.32
CVEListV5inductive_automation/ignition8.1.17 LTS

🔴Vulnerability Details

2
GHSA
GHSA-g3rp-9m2c-vrwm: Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability2024-05-03
CVEList
Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability2024-05-03
CVE-2023-39472 — XML External Entity (XXE) Injection | cvebase