{"api_version":"1","generated_at":"2026-07-03T15:52:15+00:00","cve":"CVE-2012-5357","urls":{"html":"https://cve.report/CVE-2012-5357","api":"https://cve.report/api/cve/CVE-2012-5357.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2012-5357","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2012-5357"},"summary":{"title":"CVE-2012-5357","description":"Ektron Content Management System (CMS) before 8.02 SP5 uses the XslCompiledTransform class with enablescript set to true, which allows remote attackers to execute arbitrary code with NETWORK SERVICE privileges via crafted XSL data.","state":"PUBLISHED","assigner":"mitre","published_at":"2017-10-30 14:29:00","updated_at":"2025-04-20 01:37:25"},"problem_types":["CWE-19","n/a"],"metrics":[{"version":"3.0","source":"nvd@nist.gov","type":"Primary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"http://documentation.ektron.com/current/ReleaseNotes/Release8/8.02SP5.htm","name":"http://documentation.ektron.com/current/ReleaseNotes/Release8/8.02SP5.htm","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Vendor Advisory"],"title":"Upgrading to Ektron version 8.02 SP5","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://technet.microsoft.com/library/security/msvr12-016","name":"https://technet.microsoft.com/library/security/msvr12-016","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Release Notes","Third Party Advisory"],"title":"Microsoft Vulnerability Research Advisory MSVR12-016","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.rapid7.com/db/modules/exploit/windows/http/ektron_xslt_exec","name":"https://www.rapid7.com/db/modules/exploit/windows/http/ektron_xslt_exec","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Issue Tracking","Third Party Advisory"],"title":"CVE-2012-5357 Ektron 8.02 XSLT Transform Remote Code Execution | Rapid7","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/","name":"https://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Issue Tracking","Third Party Advisory"],"title":"CVE-2012-5357,CVE-1012-5358 Cool Ektron XSLT RCE Bugs « WebstersProdigy","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2012-5357","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-5357","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2012","cve_id":"5357","vulnerable":"1","versionEndIncluding":"8.02","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ektron","cpe5":"ektron_content_management_system","cpe6":"*","cpe7":"sp4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T21:05:47.226Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.rapid7.com/db/modules/exploit/windows/http/ektron_xslt_exec"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://documentation.ektron.com/current/ReleaseNotes/Release8/8.02SP5.htm"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://technet.microsoft.com/library/security/msvr12-016"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2012-10-16T00:00:00.000Z","descriptions":[{"lang":"en","value":"Ektron Content Management System (CMS) before 8.02 SP5 uses the XslCompiledTransform class with enablescript set to true, which allows remote attackers to execute arbitrary code with NETWORK SERVICE privileges via crafted XSL data."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-10-30T13:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"tags":["x_refsource_MISC"],"url":"https://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/"},{"tags":["x_refsource_MISC"],"url":"https://www.rapid7.com/db/modules/exploit/windows/http/ektron_xslt_exec"},{"tags":["x_refsource_CONFIRM"],"url":"http://documentation.ektron.com/current/ReleaseNotes/Release8/8.02SP5.htm"},{"tags":["x_refsource_MISC"],"url":"https://technet.microsoft.com/library/security/msvr12-016"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2012-5357","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Ektron Content Management System (CMS) before 8.02 SP5 uses the XslCompiledTransform class with enablescript set to true, which allows remote attackers to execute arbitrary code with NETWORK SERVICE privileges via crafted XSL data."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/","refsource":"MISC","url":"https://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/"},{"name":"https://www.rapid7.com/db/modules/exploit/windows/http/ektron_xslt_exec","refsource":"MISC","url":"https://www.rapid7.com/db/modules/exploit/windows/http/ektron_xslt_exec"},{"name":"http://documentation.ektron.com/current/ReleaseNotes/Release8/8.02SP5.htm","refsource":"CONFIRM","url":"http://documentation.ektron.com/current/ReleaseNotes/Release8/8.02SP5.htm"},{"name":"https://technet.microsoft.com/library/security/msvr12-016","refsource":"MISC","url":"https://technet.microsoft.com/library/security/msvr12-016"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2012-5357","datePublished":"2017-10-30T14:00:00.000Z","dateReserved":"2012-10-10T00:00:00.000Z","dateUpdated":"2024-08-06T21:05:47.226Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2017-10-30 14:29:00","lastModifiedDate":"2025-04-20 01:37:25","problem_types":["CWE-19","n/a"],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ektron:ektron_content_management_system:*:sp4:*:*:*:*:*:*","versionEndIncluding":"8.02","matchCriteriaId":"BB92429C-B831-43D1-A018-54ACC8B171FD"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2012","CveId":"5357","Ordinal":"1","Title":"CVE-2012-5357","CVE":"CVE-2012-5357","Year":"2012"},"notes":[{"CveYear":"2012","CveId":"5357","Ordinal":"1","NoteData":"Ektron Content Management System (CMS) before 8.02 SP5 uses the XslCompiledTransform class with enablescript set to true, which allows remote attackers to execute arbitrary code with NETWORK SERVICE privileges via crafted XSL data.","Type":"Description","Title":"CVE-2012-5357"},{"CveYear":"2012","CveId":"5357","Ordinal":"2","NoteData":"2017-10-30","Type":"Other","Title":"Published"},{"CveYear":"2012","CveId":"5357","Ordinal":"3","NoteData":"2017-10-30","Type":"Other","Title":"Modified"}]}}}