Vulnerability Details : CVE-2015-0581
The XML parser in Cisco Prime Service Catalog before 10.1 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, as demonstrated by reading private keys, related to an XML External Entity (XXE) issue, aka Bug ID CSCup92880.
Vulnerability category: XML external entity (XXE) injectionDenial of service
Products affected by CVE-2015-0581
- cpe:2.3:a:cisco:prime_service_catalog:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-0581
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-0581
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:S/C:C/I:N/A:P |
8.0
|
7.8
|
NIST |
References for CVE-2015-0581
-
http://www.securitytracker.com/id/1031658
Cisco Prime Service Catalog XML External Entity Parsing Flaw Lets Remote Authenticated Users Deny Service and Obtain Potentially Sensitive Information - SecurityTracker
-
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-psc-xmlee
Cisco Prime Service Catalog XML External Entity Processing VulnerabilityVendor Advisory
-
http://www.securityfocus.com/bid/72350
Cisco Prime Service Catalog CVE-2015-0581 XML External Entity Injection Vulnerability
Jump to