Vulnerabilities > CVE-2018-17289 - XXE vulnerability in Kofax Front Office Server 4.1.1.11.0.5212

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

kofax

CWE-611

NVD

Published: 2019-04-18

Updated: 2019-04-19

Summary

An XML external entity (XXE) vulnerability in Kofax Front Office Server Administration Console version 4.1.1.11.0.5212 allows remote authenticated users to read arbitrary files via crafted XML inside an imported package configuration (.ZIP file) within the Kofax/KFS/Admin/PackageService/package/upload file parameter.

Vulnerable Configurations

Part	Description	Count
Application	Kofax Kofax Front Office Server 4.1.1.11.0.5212	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2018-17289-XXE-Kofax