krzysztof-przybylski (10)

Last Login: August 24, 2020
Assessments
2
Score
10

krzysztof-przybylski's Latest (2) Contributions

Sort by:
Filter by:
5
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Common in enterpriseEasy to weaponizeGives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

Severity: Critical
CVSS Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

AFFECTED PRODUCTS
WSO2 API Manager : 3.1.0 or earlier
WSO2 API Microgateway : 2.2.0

An XML External Entity injection (XXE) often allows an attacker to view files on the server file system, and to interact with any backend or external systems that the application itself can access and allows the attacker to transmit sensitive data from the compromised server to a system that the attacker controls. An XML Entity Expansion attack might result in a denial-of-service condition, causing the entire application to stop functioning. It is possible to exploit both of the above vulnerabilities without authenticating to the Management Console.

CREDITS
Krzysztof Przybylski

3
Technical Analysis

CVSS Score:
Base 6.1 (Medium)
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X

Credits:
Krzysztof Przybylski

Reference:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-ise-xss