Vulnerabilities > CVE-2018-8940 - XXE vulnerability in Enghouse Contact Center: Service Provider 7.2.5

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

enghouse

CWE-611

critical

NVD

Published: 2019-05-14

Updated: 2019-05-15

Summary

ClientServiceConfigController.cs in Enghouse Cloud Contact Center Platform 7.2.5 has functionality for loading external XML files and parsing them, allowing an attacker to upload a malicious XML file and reference it in the URL of the application, forcing the application to load and parse the malicious XML file, aka an XXE issue.

Vulnerable Configurations

Part	Description	Count
Application	Enghouse Enghouse Contact Center _Service_Provider	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Packetstorm

data source	https://packetstormsecurity.com/files/download/152829/enghouseiccsp725-xxessrf.txt
id	PACKETSTORM:152829
last seen	2019-05-14
published	2019-05-11
reporter	David Herrero
source	https://packetstormsecurity.com/files/152829/CCSP-7.2.5-API-XML-Injection-Server-Side-Request-Forgery.html
title	CCSP 7.2.5 API XML Injection / Server-Side Request Forgery

References

https://seclists.org/fulldisclosure/2019/May/9