CVE-2019-16188
Summary
| CVE | CVE-2019-16188 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-09-25 17:15:00 UTC |
| Updated | 2019-09-26 19:23:00 UTC |
| Description | HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks. |
Risk And Classification
Problem Types: CWE-611
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Hcltech | Appscan Source | All | All | All | All |
| Application | Hcltech | Appscan Source | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| HCL Security Bulletin: XML External Entity (XXE) vulnerability in HCL AppScan Source (CVE-2019-16188) - HCL KB0069344 - Customer Support | CONFIRM | hclpnpsupport.hcltech.com | Patch, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.