CVE-2018-1000069 : FreePlane version 1.5.9 and earlier contains a XML External Entity (XXE) vulnera

FreePlane version 1.5.9 and earlier contains a XML External Entity (XXE) vulnerability in XML Parser in mindmap loader that can result in stealing data from victim's machine. This attack appears to require the victim to open a specially crafted mind map file. This vulnerability appears to have been fixed in 1.6+.

Published 2018-03-13 15:29:00

Updated 2019-03-14 17:31:50

Source MITRE

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Products affected by CVE-2018-1000069

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Freeplane » Freeplane
Versions up to, including, (<=) 1.5.9
cpe:2.3:a:freeplane:freeplane:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-1000069

EPSS FAQ

0.40%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 57 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-1000069

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.5	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2018-1000069

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-1000069

https://lists.debian.org/debian-lts-announce/2018/03/msg00019.html

[SECURITY] [DLA 1316-1] freeplane security update
Mailing List;Third Party Advisory
https://www.debian.org/security/2018/dsa-4175

Debian -- Security Information -- DSA-4175-1 freeplane
Third Party Advisory
https://www.youtube.com/watch?v=7IXtiTNilAI

FreePlane XXE - YouTube
Exploit;Third Party Advisory
https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser

XML External Entity vulnerability in map parser - Freeplane - free mind mapping and knowledge management software
Vendor Advisory

Jump to

Vulnerability Details : CVE-2018-1000069

Products affected by CVE-2018-1000069

Exploit prediction scoring system (EPSS) score for CVE-2018-1000069

CVSS scores for CVE-2018-1000069

CWE ids for CVE-2018-1000069

References for CVE-2018-1000069