Vulnerabilities > CVE-2014-7177 - XML External Entity Information Disclosure vulnerability in Enalean Tuleap

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

enalean

exploit available

NVD

Published: 2014-10-31

Updated: 2017-09-08

Summary

XML External Entity vulnerability in Enalean Tuleap 7.2 and earlier allows remote authenticated users to read arbitrary files via a crafted xml document in a create action to plugins/tracker/. <a href="http://cwe.mitre.org/data/definitions/611.html" target="_blank">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

Vulnerable Configurations

Part	Description	Count
Application	Enalean Enalean Tuleap 4.0.9 Enalean Tuleap 4.0.10 Enalean Tuleap 4.0.11 Enalean Tuleap 4.0.12 Enalean Tuleap 4.0.13 Enalean Tuleap 4.0.14 Enalean Tuleap 4.0.15 Enalean Tuleap 4.0.16 Enalean Tuleap 4.0.17 Enalean Tuleap 4.0.17.1 Enalean Tuleap 4.0.17.2 Enalean Tuleap 4.0.18 Enalean Tuleap 4.0.18.1 Enalean Tuleap 4.0.18.2 Enalean Tuleap 4.0.19 Enalean Tuleap 4.0.19.1 Enalean Tuleap 4.0.19.2 Enalean Tuleap 4.0.20 Enalean Tuleap 4.0.21 Enalean Tuleap 4.0.22 Enalean Tuleap 4.0.23 Enalean Tuleap 4.0.24 Enalean Tuleap 4.0.24.1 Enalean Tuleap 4.0.25 Enalean Tuleap 4.0.26 Enalean Tuleap 4.0.26.1 Enalean Tuleap 4.0.27 Enalean Tuleap 4.0.27.1 Enalean Tuleap 4.0.27.2 Enalean Tuleap 4.0.27.3 Enalean Tuleap 4.0.28 Enalean Tuleap 4.0.28.1 Enalean Tuleap 5.0 Enalean Tuleap 5.0.1 Enalean Tuleap 5.0.2 Enalean Tuleap 5.0.3 Enalean Tuleap 5.0.4 Enalean Tuleap 5.1.0 Enalean Tuleap 5.2 Enalean Tuleap 5.3 Enalean Tuleap 5.3.1 Enalean Tuleap 5.4 Enalean Tuleap 5.4.1 Enalean Tuleap 5.5 Enalean Tuleap 5.5.1 Enalean Tuleap 5.5.2 Enalean Tuleap 5.5.3 Enalean Tuleap 5.5.4 Enalean Tuleap 5.6 Enalean Tuleap 5.6.1 Enalean Tuleap 5.6.2 Enalean Tuleap 5.7 Enalean Tuleap 5.7.1 Enalean Tuleap 5.8 Enalean Tuleap 5.9 Enalean Tuleap 5.9.1 Enalean Tuleap 5.11 Enalean Tuleap 5.12 Enalean Tuleap 6.0 Enalean Tuleap 6.1 Enalean Tuleap 6.2 Enalean Tuleap 6.3 Enalean Tuleap 6.4 Enalean Tuleap 6.5 Enalean Tuleap 6.6 Enalean Tuleap 6.7 Enalean Tuleap 6.7.1 Enalean Tuleap 6.8 Enalean Tuleap 6.9 Enalean Tuleap 6.10 Enalean Tuleap 6.10-2 Enalean Tuleap 6.10-3 Enalean Tuleap 6.10-4 Enalean Tuleap 6.10-5 Enalean Tuleap 6.11 Enalean Tuleap 6.11-2 Enalean Tuleap 6.11-3 Enalean Tuleap 6.12 Enalean Tuleap 6.12-2 Enalean Tuleap 7.0 Enalean Tuleap 7.0-1 Enalean Tuleap 7.1 Enalean Tuleap 7.1-2 Enalean Tuleap 7.2	84

Exploit-Db

description	Enalean Tuleap 7.2 - XXE File Disclosure. CVE-2014-7176,CVE-2014-7177. Webapps exploit for php platform
id	EDB-ID:35099
last seen	2016-02-04
modified	2014-10-28
published	2014-10-28
reporter	Portcullis
source	https://www.exploit-db.com/download/35099/
title	Enalean Tuleap 7.2 - XXE File Disclosure

Packetstorm

data source	https://packetstormsecurity.com/files/download/128876/tuleap-xxe.txt
id	PACKETSTORM:128876
last seen	2016-12-05
published	2014-10-28
reporter	Jerzy Kramarz
source	https://packetstormsecurity.com/files/128876/Tuleap-7.2-XXE-Injection.html
title	Tuleap 7.2 XXE Injection

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:87391
last seen	2017-11-19
modified	2014-11-13
published	2014-11-13
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-87391
title	Enalean Tuleap 7.2 - XXE File Disclosure

Summary

Vulnerable Configurations

Exploit-Db

Packetstorm

Seebug

References