Vulnerabilities > CVE-2024-37388 - XXE vulnerability in Dnkorpushov Ebookmeta

CVSS 9.1 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

dnkorpushov

CWE-611

critical

NVD

Published: 2024-06-07

Updated: 2024-10-30

Summary

An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.

Vulnerable Configurations

Part	Description	Count
Application	Dnkorpushov Dnkorpushov Ebookmeta - Dnkorpushov Ebookmeta 0.10.2 Dnkorpushov Ebookmeta 0.11.2 Dnkorpushov Ebookmeta 1.0.3 Dnkorpushov Ebookmeta 1.1.3 Dnkorpushov Ebookmeta 1.1.4 Dnkorpushov Ebookmeta 1.2.0 Dnkorpushov Ebookmeta 1.2.1 Dnkorpushov Ebookmeta 1.2.4 Dnkorpushov Ebookmeta 1.2.5 Dnkorpushov Ebookmeta 1.2.6 Dnkorpushov Ebookmeta 1.2.7 Dnkorpushov Ebookmeta 1.2.9 Dnkorpushov Ebookmeta 1.2.10 Dnkorpushov Ebookmeta 1.2.11	15

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://github.com/dnkorpushov/ebookmeta/issues/16#issue-2317712335