XML External Entity injection in WebCTRL - CVE-2018-8819
Published: June 14, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU37031
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-8819
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Automated Logic Corporation
Affected software:
WebCTRL
WebCTRL
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.
How to mitigate CVE-2018-8819
Install update from vendor's website.