7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
8.3 High
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.974 High
EPSS
Percentile
99.9%
IBM Endpoint Manager is prone to a XML External Entity Injection
# SPDX-FileCopyrightText: 2014 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:ibm:tivoli_endpoint_manager";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.105130");
script_cve_id("CVE-2014-0224");
script_tag(name:"cvss_base", value:"5.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:N");
script_version("2023-07-27T05:05:08+0000");
script_name("IBM Endpoint Manager XML External Entity Injection");
script_xref(name:"URL", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21673961");
script_xref(name:"URL", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21673964");
script_xref(name:"URL", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21673967");
script_tag(name:"impact", value:"This vulnerability could allow an attacker to access files
on an affected server or cause an affected server to make an arbitrary HTTP GET request.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"IBM Endpoint Manager could allow a remote attacker to obtain
sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML
data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to access
files and obtain sensitive information on the server.");
script_tag(name:"affected", value:"All 9.1 releases of the Console, Root Server, Web Reports and Server API
earlier than 9.1.1088.0
All 9.0 releases of the Console, Root Server, Web Reports and Server API earlier than 9.0.853.0
All 8.2 releases of Web Reports and Server API earlier than 8.2.1445.0");
script_tag(name:"summary", value:"IBM Endpoint Manager is prone to a XML External Entity Injection");
script_tag(name:"solution", value:"Update to the latest version.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"last_modification", value:"2023-07-27 05:05:08 +0000 (Thu, 27 Jul 2023)");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2020-07-28 16:40:00 +0000 (Tue, 28 Jul 2020)");
script_tag(name:"creation_date", value:"2014-12-03 14:44:19 +0100 (Wed, 03 Dec 2014)");
script_category(ACT_GATHER_INFO);
script_tag(name:"qod_type", value:"remote_banner");
script_family("Web application abuses");
script_copyright("Copyright (C) 2014 Greenbone AG");
script_dependencies("gb_ibm_endpoint_manager_web_detect.nasl");
script_require_ports("Services/www", 52311);
script_mandatory_keys("ibm_endpoint_manager/installed");
exit(0);
}
include("host_details.inc");
if( ! port = get_app_port( cpe:CPE ) ) exit( 0 );
if( ! version = get_app_version( cpe:CPE, port:port ) ) exit( 0 );
if( version =~ "^9\.1\.[0-9]+" )
{
cv = split( version, sep:'.', keep:FALSE );
ck_version = cv[2];
if( int( ck_version ) < int( 1088 ) )
{
VULN = TRUE;
fixed_version = '9.1.1088.0';
}
}
else if( version =~ "^9\.0\.[0-9]+" )
{
cv = split( version, sep:'.', keep:FALSE );
ck_version = cv[2];
if( int( ck_version ) < int( 853 ) )
{
VULN = TRUE;
fixed_version = '9.0.853.0';
}
}
else if( version =~ "^8\.2\.[0-9]+" )
{
cv = split( version, sep:'.', keep:FALSE );
ck_version = cv[2];
if( int( ck_version ) < int( 1445 ) )
{
VULN = TRUE;
fixed_version = '8.2.1445.0';
}
}
if( VULN )
{
report = 'Installed version: ' + version + '\nFixed version: ' + fixed_version + '\n';
security_message( port:port, data:report );
exit( 0 );
}
exit( 99 );
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
8.3 High
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.974 High
EPSS
Percentile
99.9%