{"containers": {"cna": {"affected": [{"product": "Cisco Secure Access Control Server Solution Engine (ACSE)", "vendor": "Cisco", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-09-05T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-10-07T09:57:02", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "105289", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105289"}, {"name": "20180905 Cisco Secure Access Control Server XML External Entity Injection Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-acsxxe"}, {"name": "1041688", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041688"}], "source": {"advisory": "cisco-sa-20180905-acsxxe", "defect": [["CSCvi85318"]], "discovery": "UNKNOWN"}, "title": "Cisco Secure Access Control Server XML External Entity Injection Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2018-09-05T16:00:00-0500", "ID": "CVE-2018-0414", "STATE": "PUBLIC", "TITLE": "Cisco Secure Access Control Server XML External Entity Injection Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco Secure Access Control Server Solution Engine (ACSE)", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file."}]}, "impact": {"cvss": {"baseScore": "6.5", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-611"}]}]}, "references": {"reference_data": [{"name": "105289", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105289"}, {"name": "20180905 Cisco Secure Access Control Server XML External Entity Injection Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-acsxxe"}, {"name": "1041688", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041688"}]}, "source": {"advisory": "cisco-sa-20180905-acsxxe", "defect": [["CSCvi85318"]], "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:21:15.504Z"}, "title": "CVE Program Container", "references": [{"name": "105289", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/105289"}, {"name": "20180905 Cisco Secure Access Control Server XML External Entity Injection Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-acsxxe"}, {"name": "1041688", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1041688"}]}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2018-0414", "datePublished": "2018-10-05T14:00:00Z", "dateReserved": "2017-11-27T00:00:00", "dateUpdated": "2024-09-16T23:36:31.956Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:secure_access_control_server_solution_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "F50E74E5-E2F3-4EAD-9307-B8C7E8D95254", "versionEndExcluding": "5.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:secure_access_control_server_solution_engine:5.8:-:*:*:*:*:*:*", "matchCriteriaId": "2AA09B38-0BC4-4F5B-B91F-405C59144FEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:secure_access_control_server_solution_engine:5.8:p1:*:*:*:*:*:*", "matchCriteriaId": "157F979E-56B3-43B3-A51B-D108B2CF1C8C", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:secure_access_control_server_solution_engine:5.8:p2:*:*:*:*:*:*", "matchCriteriaId": "84651278-2B86-48F8-BAA0-BF01DE267E96", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:secure_access_control_server_solution_engine:5.8:p3:*:*:*:*:*:*", "matchCriteriaId": "BB348B8A-646D-4B16-B009-675D7268340E", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:secure_access_control_server_solution_engine:5.8:p4:*:*:*:*:*:*", "matchCriteriaId": "B82436DD-1270-42F2-B902-70A1841AA6AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:secure_access_control_server_solution_engine:5.8:p5:*:*:*:*:*:*", "matchCriteriaId": "D8B235BF-D10F-4BD1-B6D9-9BAEFFA0E327", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:secure_access_control_server_solution_engine:5.8:p6:*:*:*:*:*:*", "matchCriteriaId": "EB759943-E4CC-40E1-83EE-7BAF533DA2C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:secure_access_control_server_solution_engine:5.8:p7:*:*:*:*:*:*", "matchCriteriaId": "ADA84D99-7581-4D1A-BC1C-4CE1ED73743D", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:secure_access_control_server_solution_engine:5.8:p8:*:*:*:*:*:*", "matchCriteriaId": "AA00C861-6E00-4181-A9C7-502B2D14F766", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:secure_access_control_server_solution_engine:5.8:p9:*:*:*:*:*:*", "matchCriteriaId": "87F7FDC6-65F6-4BF1-8AA2-CFE73972E6C1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz web de usuario de Cisco Secure Access Control Server podr\u00eda permitir que un atacante remoto autenticado obtenga acceso de lectura a determinada informaci\u00f3n en un sistema afectado. La vulnerabilidad se debe a una gesti\u00f3n incorrecta de XXE (Entidades Externas XML) a la hora de analizar sint\u00e1cticamente un archivo XML. Un atacante podr\u00eda explotar esta vulnerabilidad convenciendo al administrador de un sistema afectado para que importe un archivo XML manipulado."}], "id": "CVE-2018-0414", "lastModified": "2019-10-09T23:32:01.617", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-05T14:29:00.497", "references": [{"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105289"}, {"source": "ykramarz@cisco.com", "tags": ["VDB Entry", "Third Party Advisory"], "url": "http://www.securitytracker.com/id/1041688"}, {"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-acsxxe"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}

{}