Vulnerabilities > CVE-2022-31261 - XXE vulnerability in Morpheusdata Morpheus 5.2.16/5.4.0/5.4.4
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker can send a request crafted with an XXE payload to invoke a malicious DTD hosted on a system that they control. This results in reading local files that the application has access to.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |