Lucene search

TR-CERTVULNRICHMENT:CVE-2024-7098

HistorySep 16, 2024 - 2:50 p.m.

CVE-2024-7098 XML Injection in SFS Consulting's ww.Winsure

2024-09-1614:50:42

CWE-611

TR-CERT

github.com

cve-2024-7098

xml injection

sfs consulting

winsure

improper restriction

external entity reference

vulnerability

security issue

version 4.6.2

CVSS4

9.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:N/SI:N/VA:L/SA:N

AI Score

Confidence

High

EPSS

0.001

Percentile

39.6%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection.This issue affects ww.Winsure: before 4.6.2.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:sfs_consulting:wwwinsure:*:*:*:*:*:*:*:*"
    ],
    "vendor": "sfs_consulting",
    "product": "wwwinsure",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "4.6.2",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

www.usom.gov.tr/bildirim/tr-24-1475

CVSS4

9.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:N/SI:N/VA:L/SA:N

AI Score

Confidence

High

EPSS

0.001

Percentile

39.6%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-7098