#VU17843 XXE attack in Cisco IoT Field Network Director
Vulnerability identifier: #VU17843
Vulnerability risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-611
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Cisco IoT Field Network Director
Web applications /
Remote management & hosting panels
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote high-privileged attacker to conduct XXE-attack.
The vulnerability exists in the web-based user interface due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can import a specially crafted XML file with malicious entries, which could allow the attacker to read files within the affected application.
Mitigation
Update to version 4.4(0.26).
Vulnerable software versions
Cisco IoT Field Network Director: 4.2.1.2
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-iot-fnd-xml
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
