XXE attack in Windows and Windows Server - CVE-2017-8557
Published: July 11, 2017 / Updated: July 11, 2017
Vulnerability identifier: #VU7468
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-8557
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
Windows
Windows Server
Windows
Windows Server
Detailed vulnerability description
The vulnerability allows a remote attacker to conduct XXE attack.
The weakness exists due to improper parsing of XML input containing a reference to an external entity. A remote attacker can send manipulated XML content, trick the victim into opening and read arbitrary files on the system.
Successful exploitation of the vulnerability may result in information disclosure.
The weakness exists due to improper parsing of XML input containing a reference to an external entity. A remote attacker can send manipulated XML content, trick the victim into opening and read arbitrary files on the system.
Successful exploitation of the vulnerability may result in information disclosure.
How to mitigate CVE-2017-8557
Install updates from vendor's website.