Main Vulnerability Database Vulnerabilities #VU10120

#VU10120 XXE attack in Cisco AnyConnect Secure Mobility Client - CVE-2018-0100

Published: January 22, 2018

Vulnerability identifier: #VU10120

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-0100

CWE-ID: CWE-611

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Cisco AnyConnect Secure Mobility Client

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a local unauthenticated attacker to perform XXE attack on the target system.

The weakness exists in the Profile Editor of the Cisco AnyConnect Secure Mobility Client due to improper handling of XML External Entity (XXE) entries when parsing an XML file. A local attacker can inject a specially crafted XML file with malicious entries to gain read and write access to the files.

Remediation

Install update from vendor's website.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-acpe

#VU10120 XXE attack in Cisco AnyConnect Secure Mobility Client - CVE-2018-0100

Description

Remediation

External links

Please verify you're human