#VU8318 XXE in Windows Server and Windows - CVE-2017-8710

Cybersecurity Help s.r.o.

Published: 2017-09-12 | Updated: 2017-09-12

Vulnerability identifier: #VU8318

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-8710

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Windows Server
Operating systems & Components / Operating system
Windows
Operating systems & Components / Operating system

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

An information disclosure vulnerability exists in the Windows System Information Console when it improperly parses XML input containing a reference to an external entity. A remote attacker can create a specially crafted XML file, trick the victim into opening it and gain access to potentially sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Windows Server: 2008 R2 - 2008

Windows: 7

External links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8710

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

XXE in Windows System Information Console