Vulnerabilities > CVE-2017-14759 - XXE vulnerability in Opentext Document Sciences Xpression 4.5

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

opentext

CWE-611

critical

NVD

Published: 2017-10-03

Updated: 2017-10-11

Summary

OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to an XML External Entity vulnerability: /xFramework/services/QuickDoc.QuickDocHttpSoap11Endpoint/. An unauthenticated user is able to read directory listings or system files, or cause SSRF or Denial of Service.

Vulnerable Configurations

Part	Description	Count
Application	Opentext Opentext Document Sciences Xpression 4.5	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Packetstorm

data source	https://packetstormsecurity.com/files/download/144447/opentextdsx-xxe.txt
id	PACKETSTORM:144447
last seen	2017-09-30
published	2017-09-29
reporter	Mariusz Woloszyn
source	https://packetstormsecurity.com/files/144447/OpenText-Document-Sciences-xPression-4.5SP1-Patch-13-XML-Injection.html
title	OpenText Document Sciences xPression 4.5SP1 Patch 13 XML Injection

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Packetstorm

References