Vulnerabilities > CVE-2018-8819 - XXE vulnerability in Carrier Automatedlogic Webctrl 6.0/6.1/6.5

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
carrier
CWE-611

Summary

An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/148126/webctrl-xxe.txt
idPACKETSTORM:148126
last seen2018-06-13
published2018-06-09
reporterDarrell Damstedt
sourcehttps://packetstormsecurity.com/files/148126/WebCTRL-Out-Of-Band-XML-Injection.html
titleWebCTRL Out-Of-Band XML Injection