5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.041 Low
EPSS
Percentile
92.2%
CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain an XML external entity injection (XXE) vulnerability (CWE-611).
By reading a specially crafted XML files, an arbitrary file on the server may be read by the attacker.
Update the Software
The following updates are available. Update the software to the appropriate versions according to the information provided by the developer.
CLUSTERPRO X 4.1/X 4.2 for Windows update module (CPRO-XWA40-08)
EXPRESSCLUSTER X 4.1/X 4.2 for Windows update module (CPRO-XWA40-08E)
Apply a Workaround
Applying the following workarounds may mitigate the impacts of this vulnerability.
Enable access restriction by IP address
Enable access restriction by password
Enable connection by HTTPS
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.041 Low
EPSS
Percentile
92.2%