Main Vulnerability Database Vulnerabilities #VU13123

#VU13123 XXE attack in MDS PulseNET Enterprise and GE MDS PulseNET - CVE-2018-10613

Published: June 1, 2018

Vulnerability identifier: #VU13123

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-10613

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
MDS PulseNET Enterprise
GE MDS PulseNET

Software vendor:
GE

Description

The vulnerability allows a remote unauthenticated attacker to perform XXE attack on the target system.

The weakness exists due to insufficient validation for external entities. A remote attacker can supply data containing an XML external entities, perform multiple variants of XXE attacks and exfiltrate data from the host Windows platform.

Remediation

Install update from vendor's website.

External links

https://ics-cert.us-cert.gov/advisories/ICSA-18-151-02

#VU13123 XXE attack in MDS PulseNET Enterprise and GE MDS PulseNET - CVE-2018-10613

Description

Remediation

External links

Please verify you're human