Vulnerabilities > CVE-2015-0581 - XML External Entity Injection vulnerability in Cisco Prime Service Catalog 9.4.1Vortex

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

cisco

NVD

Published: 2015-01-28

Updated: 2015-09-17

Summary

The XML parser in Cisco Prime Service Catalog before 10.1 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, as demonstrated by reading private keys, related to an XML External Entity (XXE) issue, aka Bug ID CSCup92880. <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

Vulnerable Configurations

Part	Description	Count
Application	Cisco Cisco Prime Service Catalog - Cisco Prime Service Catalog 9.4.1_Vortex	2

References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-psc-xmlee
http://www.securityfocus.com/bid/72350
http://www.securitytracker.com/id/1031658