Main Vulnerability Database Vulnerabilities #VU14192

XXE attack in EMC Data Protection Advisor - CVE-2018-11048

Published: August 3, 2018 / Updated: August 6, 2018

Vulnerability identifier: #VU14192

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-11048

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Dell

Affected software:
EMC Data Protection Advisor

Detailed vulnerability description

The vulnerability allows a remote authenticated attacker to perform XXE attack.

The weakness exists due to an error when processing malicious XML data. A remote attacker can supply specially crafted XML External Entity (XXE) data to the target REST API to read files on the target system with elevated privileges or cause the service to crash.

How to mitigate CVE-2018-11048

The vulnerability has been fixed in the versions 6.4 patch B180, 6.5 patch B58.

Sources

http://seclists.org/fulldisclosure/2018/Aug/5

XXE attack in EMC Data Protection Advisor - CVE-2018-11048

Detailed vulnerability description

How to mitigate CVE-2018-11048

Sources

Please verify you're human