XXE attack in EMC Data Protection Advisor
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-11048 |
| CWE-ID | CWE-611 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
EMC Data Protection Advisor Server applications / Other server solutions |
| Vendor | Dell |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) XXE attack
EUVDB-ID: #VU14192
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11048
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to perform XXE attack.
The weakness exists due to an error when processing malicious XML data. A remote attacker can supply specially crafted XML External Entity (XXE) data to the target REST API to read files on the target system with elevated privileges or cause the service to crash.
MitigationThe vulnerability has been fixed in the versions 6.4 patch B180, 6.5 patch B58.
Vulnerable software versionsEMC Data Protection Advisor: 6.2 - 6.5
External linkshttp://seclists.org/fulldisclosure/2018/Aug/5
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
