CVE-2017-13706 - OpenCVE

XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lansweeper	Lansweeper

Configuration 1 [-]

cpe:2.3:a:lansweeper:lansweeper:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html
http://seclists.org/fulldisclosure/2017/Oct/14
https://www.lansweeper.com/changelog.aspx

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-10T13:00:00

Updated: 2024-08-05T19:05:20.085Z

Reserved: 2017-08-27T00:00:00

Link: CVE-2017-13706

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-10-10T13:29:00.343

Modified: 2017-11-05T22:43:09.663

Link: CVE-2017-13706

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-10-04T00:00:00", "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-10T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20171007 CVE-2017-13706, Lansweeper 6.0.100.29 XXE Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2017/Oct/14"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.lansweeper.com/changelog.aspx"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-13706", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20171007 CVE-2017-13706, Lansweeper 6.0.100.29 XXE Vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2017/Oct/14"}, {"name": "https://www.lansweeper.com/changelog.aspx", "refsource": "CONFIRM", "url": "https://www.lansweeper.com/changelog.aspx"}, {"name": "http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:05:20.085Z"}, "title": "CVE Program Container", "references": [{"name": "20171007 CVE-2017-13706, Lansweeper 6.0.100.29 XXE Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2017/Oct/14"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.lansweeper.com/changelog.aspx"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-13706", "datePublished": "2017-10-10T13:00:00", "dateReserved": "2017-08-27T00:00:00", "dateUpdated": "2024-08-05T19:05:20.085Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lansweeper:lansweeper:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E62F9A0-D77A-4C0F-9488-3E5F8E250E4D", "versionEndIncluding": "6.0.100.29", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705."}, {"lang": "es", "value": "Vulnerabilidad XEE (XML External Entity) en la funcionalidad de importaci\u00f3n de paquetes del m\u00f3dulo deployment en Lansweeper en versiones anteriores a la 6.0.100.67 permite que usuarios autenticados remotos obtengan informaci\u00f3n sensible, provoquen una denegaci\u00f3n de servicio, realicen ataques SSRF (Server-Side Request Forgery), realicen escaneos de puertos internos o provoquen otro impacto no especificado mediante una petici\u00f3n XML. Esta vulnerabilidad tambi\u00e9n se conoce como bug #572705."}], "id": "CVE-2017-13706", "lastModified": "2017-11-05T22:43:09.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-10T13:29:00.343", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2017/Oct/14"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.lansweeper.com/changelog.aspx"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}