Main Vulnerability Database SB2021042906

SB2021042906 - XML External Entity injection in Cisco Firepower Device Manager On-Box

Published: April 29, 2021

Security Bulletin ID SB2021042906

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) XML External Entity injection (CVE-ID: CVE-2021-1369)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input in the REST API. A remote authenticated attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or cause a denial of service (DoS) condition.

Remediation

Install update from vendor's website.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fdm-xxe-zR7sxPfs