RPC.php' XML Entity Expansion

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

revive-adserver

NVD

Published: 2014-12-19

Updated: 2018-10-09

Summary

The XML_RPC_cd function in lib/pear/XML/RPC.php in Revive Adserver before 3.0.6 allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted XML-RPC request, aka an XML Entity Expansion (XEE) attack. <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

Vulnerable Configurations

Part	Description	Count
Application	Revive-Adserver Revive Adserver Revive Adserver - Revive Adserver Revive Adserver 3.0.0 Revive Adserver Revive Adserver 3.0.1 Revive Adserver Revive Adserver 3.0.2 Revive Adserver Revive Adserver 3.0.3 Revive Adserver Revive Adserver 3.0.4 Revive Adserver Revive Adserver 3.0.5	7

Packetstorm

data source	https://packetstormsecurity.com/files/download/129621/REVIVE-SA-2014-002.txt
id	PACKETSTORM:129621
last seen	2016-12-05
published	2014-12-17
reporter	Matteo Beccati
source	https://packetstormsecurity.com/files/129621/Revive-Adserver-3.0.5-Cross-Site-Scripting-Denial-Of-Service.html
title	Revive Adserver 3.0.5 Cross Site Scripting / Denial Of Service

Summary

Vulnerable Configurations

Packetstorm

References