CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS
Percentile
42.8%
An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. A specially crafted web request can cause the retrieval of arbitrary files or denial of service. An authenticated attacker can send a crafted web request to trigger this vulnerability.
OpenFire User Import Export Plugin 2.6.0
<https://www.igniterealtime.org/projects/openfire/plugins/userImportExport.jar>
8.1 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE-611: Improper Restriction of XML External Entity Reference (βXXEβ)
The User Import Export Plugin is vulnerable to an XML External Entity injection attack.
The application can be exploited via either Cross Site Request Forgery or if account with given credentials is compromised.
This vulnerability may allow the retrieval of arbitrary files or the causing of a Denial of Service condition (by making the server read from a file such as `/dev/randomβ) External entities can also reference URLs, potentially allowing port scanning from the XML parserβs host, or the retrieval of sensitive web content that would otherwise be inaccessible due to network topology and defenses.
Restrict access to known, trusted users and hosts.
2017-03-06 - Vendor Disclosure
2017-07-19 - Public Release
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS
Percentile
42.8%