Vulnerability Details : CVE-2018-15444
Potential exploit
A vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by convincing a user of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files within the affected application.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2018-15444
- cpe:2.3:a:cisco:energy_management_suite_software:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-15444
0.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-15444
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.9
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:N |
6.8
|
4.9
|
NIST | |
7.3
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
2.1
|
5.2
|
NIST | |
6.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N |
2.1
|
4.2
|
Cisco Systems, Inc. |
CWE ids for CVE-2018-15444
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)
References for CVE-2018-15444
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-ems-xml-xxe
Cisco Energy Management Suite XML External Entity VulnerabilityBroken Link;Vendor Advisory
-
http://www.securityfocus.com/bid/105860
Cisco Energy Management Suite CVE-2018-15444 XML External Entity Injection VulnerabilityThird Party Advisory;VDB Entry
-
https://www.tenable.com/security/research/tra-2018-36
[R1] Cisco Energy Management Suite Multiple Vulnerabilities - Research Advisory | TenableĀ®Exploit;Mitigation;Third Party Advisory
Jump to