Vulnerabilities > CVE-2018-8819 - XXE vulnerability in Carrier Automatedlogic Webctrl 6.0/6.1/6.5

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

carrier

CWE-611

NVD

Published: 2018-06-14

Updated: 2021-07-27

Summary

An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.

Vulnerable Configurations

Part	Description	Count
Application	Carrier Carrier Automatedlogic Webctrl 6.1 Carrier Automatedlogic Webctrl 6.0 Carrier Automatedlogic Webctrl 6.5	3

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Packetstorm

data source	https://packetstormsecurity.com/files/download/148126/webctrl-xxe.txt
id	PACKETSTORM:148126
last seen	2018-06-13
published	2018-06-09
reporter	Darrell Damstedt
source	https://packetstormsecurity.com/files/148126/WebCTRL-Out-Of-Band-XML-Injection.html
title	WebCTRL Out-Of-Band XML Injection

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Packetstorm

References