Vulnerabilities > CVE-2018-1000540 - XXE vulnerability in Loboevolution Project Loboevolution

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

loboevolution-project

CWE-611

NVD

Published: 2018-06-26

Updated: 2018-08-20

Summary

LoboEvolution version < 9b75694cedfa4825d4a2330abf2719d470c654cd contains a XML External Entity (XXE) vulnerability in XML Parsing when viewing the XML file in the browser that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted XML file.

Vulnerable Configurations

Part	Description	Count
Application	Loboevolution_Project Loboevolution Project Loboevolution 0.98.6 Loboevolution Project Loboevolution 0.98.7 Loboevolution Project Loboevolution 0.99 Loboevolution Project Loboevolution 0.99.1 Loboevolution Project Loboevolution 0.99.2	5

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://github.com/oswetto/LoboEvolution/issues/38