Lucene search

Veracode Vulnerability DatabaseVERACODE:44215

HistoryNov 10, 2023 - 12:11 a.m.

XML Eexternal Entity (XXE) Injection

2023-11-1000:11:10

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

xml parsing

gp6 files

gp7 files

data access

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.1 High

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

76.6%

JSON

tuxguitar is vulnerable to XML Eexternal Entity (XXE) Injection. An attacker is able to exploit a flaw in the way that TuxGuitar parses XML files to load GP6 and GP7 tablature files. The attacker can then trick a user into opening a specially crafted GP6 or GP7 file, which would cause TuxGuitar to load the file and gain access to data contained within the file.

CPENameOperatorVersion
tuxguitar:sideq1.2-25
tuxguitar:sideq1.2-25

CPE	Name	Operator	Version
	tuxguitar:sid	eq	1.2-25
	tuxguitar:sid	eq	1.2-25

References

logicaltrust.net/blog/2020/06/tuxguitar.html

security-tracker.debian.org/tracker/CVE-2020-14940

sourceforge.net/p/tuxguitar/bugs/126/

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.1 High

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

76.6%

JSON

Related for VERACODE:44215