Vulnerabilities > CVE-2022-45326 - XXE vulnerability in Kwoksys Information Server

CVSS 4.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

kwoksys

CWE-611

NVD

Published: 2022-12-06

Updated: 2022-12-08

Summary

An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.

Vulnerable Configurations

Part	Description	Count
Application	Kwoksys Kwoksys Information Server 2.9.5 Kwoksys Information Server 2.8.3 Kwoksys Information Server 2.8.4 Kwoksys Information Server 2.8.5	8

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://www.navsec.net/2022/11/12/kwoksys-xxe.html
http://www.kwoksys.com/wiki/index.php?title=Release_Notes