XXE attack in Fortify Software Security Center - CVE-2018-6486
Published: February 5, 2018
Vulnerability identifier: #VU10378
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-6486
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenText
Affected software:
Fortify Software Security Center
Fortify Software Security Center
Detailed vulnerability description
The vulnerability allows a remote attacker to perform XXE attack.
The weakness exists due to improper handling of XML External Entity (XXE) entries when parsing an XML file. A local attacker can inject a specially crafted XML file with malicious entries to bypass security restrictions on the target system.
The weakness exists due to improper handling of XML External Entity (XXE) entries when parsing an XML file. A local attacker can inject a specially crafted XML file with malicious entries to bypass security restrictions on the target system.
How to mitigate CVE-2018-6486
Update to version 17.20 or later.