Vulnerabilities > CVE-2021-37425 - XXE vulnerability in Altova Mobiletogether Server 7.0/7.3

CVSS 9.1 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

altova

CWE-611

critical

NVD

Published: 2021-08-10

Updated: 2021-08-18

Summary

Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.

Vulnerable Configurations

Part	Description	Count
Application	Altova Altova Mobiletogether Server 7.0 Altova Mobiletogether Server 7.3	2

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://www.redteam-pentesting.de/advisories/rt-sa-2021-002
https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses
https://www.altova.com/mobiletogether
http://seclists.org/fulldisclosure/2021/Aug/12