The vulnerability of Microsoft SQL Server Management Studio’s database management tool lies in the insufficient restriction on XML references to external objects, which allows attackers to exploit this to disclose sensitive information.

🗓️ 09 Nov 2018 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru

Microsoft SQL Server Management Studio vulnerability allows sensitive data disclosure via XML External Entity due to weak external object restrictions.

Reporter	Title	Published	Views	Family All 23
0day.today	Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection Vulnerability	11 Oct 201800:00	–	zdt
ATTACKERKB	CVE-2018-8532	10 Oct 201813:29	–	attackerkb
ATTACKERKB	CVE-2018-8533	10 Oct 201813:29	–	attackerkb
ATTACKERKB	CVE-2018-8527	10 Oct 201813:29	–	attackerkb
Circl	CVE-2018-8533	11 Oct 201800:00	–	circl
CNVD	Microsoft SQL Server Management Studio Information Disclosure Vulnerability	10 Oct 201800:00	–	cnvd
Check Point Advisories	Microsoft SQL Server Management Studio XXE Injection Information Disclosure (CVE-2018-8527; CVE-2018-8532; CVE-2018-8533)	18 Nov 201800:00	–	checkpoint_advisories
CVE	CVE-2018-8533	10 Oct 201813:00	–	cve
Cvelist	CVE-2018-8533	10 Oct 201813:00	–	cvelist
Exploit DB	Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection	11 Oct 201800:00	–	exploitdb

Vulners

Node

microsoft sql_server_management_studioMatch17.9

Source	Link
securityfocus	www.securityfocus.com/bid/105476
securitytracker	www.securitytracker.com/id/1041826
portal	www.portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533
exploit-db	www.exploit-db.com/exploits/45583/
web	www.web.nvd.nist.gov/view/vuln/detail

23 Mar 2021 00:00Current

6Medium risk

Vulners AI Score6

CVSS 34.3

CVSS 25

EPSS0.4785

Microsoft SQL Server Management Studio XML External Entity external object restriction sensitive information disclosure