Vulnerabilities > CVE-2019-20153 - XXE vulnerability in Determine Contract Lifecycle Management 5.4

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

determine

CWE-611

NVD

Published: 2020-01-05

Updated: 2020-01-13

Summary

An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) in v5.4. An XML external entity (XXE) vulnerability in the upload definition feature in definition_upload_attach.jsp allows authenticated remote attackers to read arbitrary files (including configuration files containing administrative credentials).

Vulnerable Configurations

Part	Description	Count
Application	Determine Determine Contract Lifecycle Management 5.4	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://www.n00py.io/2020/01/zero-day-exploit-in-determine-selectica-contract-lifecycle-management-sclm-v5-4/