XXE attack in Freeplane - CVE-2018-1000069
Published: April 19, 2018
Vulnerability identifier: #VU11993
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-1000069
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Freeplane
Affected software:
Freeplane
Freeplane
Detailed vulnerability description
The vulnerability allows a remote attacker to perform XXE attack and obtain potentially sensitive information on the target system.
The weakness exists in XML Parser in mindmap loader due to improper handling of XML External Entity (XXE) entries when parsing an XML file. A remote attacker can trick the victim into opening a specially crafted mind map file and steal data from victim's machine.
The weakness exists in XML Parser in mindmap loader due to improper handling of XML External Entity (XXE) entries when parsing an XML file. A remote attacker can trick the victim into opening a specially crafted mind map file and steal data from victim's machine.
How to mitigate CVE-2018-1000069
Update to version 1.5.10 or later.