CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
76.7%
XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response capture for password cracking). This occurs in extensions/contentmodel/participants/diagnostics/LSPXMLParserConfiguration.java.
Vendor | Product | Version | CPE |
---|---|---|---|
xml_language_server_project | xml_server_project | * | cpe:2.3:a:xml_language_server_project:xml_server_project:*:*:*:*:*:*:*:* |
eclipse | wild_web_developer | - | cpe:2.3:a:eclipse:wild_web_developer:-:*:*:*:*:*:*:* |
theia_xml_extension_project | theia_xml_extension | - | cpe:2.3:a:theia_xml_extension_project:theia_xml_extension:-:*:*:*:*:*:*:* |
github.com/angelozerr/lsp4xml/
github.com/angelozerr/lsp4xml/blob/master/CHANGELOG.md#others
github.com/angelozerr/lsp4xml/pull/566
github.com/redhat-developer/vscode-xml/
marketplace.visualstudio.com/items?itemName=redhat.vscode-xml
www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia/
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
76.7%