XXE attack in MDS PulseNET Enterprise and GE MDS PulseNET - CVE-2018-10613
Published: June 1, 2018
Vulnerability identifier: #VU13123
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-10613
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GE
Affected software:
MDS PulseNET Enterprise
GE MDS PulseNET
MDS PulseNET Enterprise
GE MDS PulseNET
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to perform XXE attack on the target system.
The weakness exists due to insufficient validation for external entities. A remote attacker can supply data containing an XML external entities, perform multiple variants of XXE attacks and exfiltrate data from the host Windows platform.
The weakness exists due to insufficient validation for external entities. A remote attacker can supply data containing an XML external entities, perform multiple variants of XXE attacks and exfiltrate data from the host Windows platform.
How to mitigate CVE-2018-10613
Install update from vendor's website.