Vulnerabilities > CVE-2018-14473 - XXE vulnerability in Ocsinventory-Ng Ocsinventory NG 2.4.1

CVSS 9.1 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

ocsinventory-ng

CWE-611

critical

NVD

Published: 2018-08-04

Updated: 2018-10-01

Summary

OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service.

Vulnerable Configurations

Part	Description	Count
Application	Ocsinventory-Ng Ocsinventory NG Ocsinventory NG 2.4.1	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://www.tarlogic.com/en/blog/vulnerabilities-in-ocs-inventory-2-4-1/