CVE-2023-6280 : An XXE (XML External Entity) vulnerability has been detected in 52North WPS affe

An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. This vulnerability allows the use of external entities in its WebProcessingService servlet for an attacker to retrieve files by making HTTP requests to the internal network.

Published 2023-12-19 15:15:09

Updated 2024-08-02 09:15:36

Source Spanish National Cybersecurity Institute, S.A. (INCIBE)

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Products affected by CVE-2023-6280

52north » WPS
Versions before (<) 4.0.0
cpe:2.3:a:52north:wps:*:*:*:*:*:*:*:*
Matching versions
52north » WPS » Version: 4.0.0 Update Beta1
cpe:2.3:a:52north:wps:4.0.0:beta1:*:*:*:*:*:*
Matching versions
52north » WPS » Version: 4.0.0 Update Beta2
cpe:2.3:a:52north:wps:4.0.0:beta2:*:*:*:*:*:*
Matching versions
52north » WPS » Version: 4.0.0 Update Beta3
cpe:2.3:a:52north:wps:4.0.0:beta3:*:*:*:*:*:*
Matching versions
52north » WPS » Version: 4.0.0 Update Beta4
cpe:2.3:a:52north:wps:4.0.0:beta4:*:*:*:*:*:*
Matching versions
52north » WPS » Version: 4.0.0 Update Beta5
cpe:2.3:a:52north:wps:4.0.0:beta5:*:*:*:*:*:*
Matching versions
52north » WPS » Version: 4.0.0 Update Beta6
cpe:2.3:a:52north:wps:4.0.0:beta6:*:*:*:*:*:*
Matching versions
52north » WPS » Version: 4.0.0 Update Beta7
cpe:2.3:a:52north:wps:4.0.0:beta7:*:*:*:*:*:*
Matching versions
52north » WPS » Version: 4.0.0 Update Beta8
cpe:2.3:a:52north:wps:4.0.0:beta8:*:*:*:*:*:*
Matching versions
52north » WPS » Version: 4.0.0 Update Beta9
cpe:2.3:a:52north:wps:4.0.0:beta9:*:*:*:*:*:*
Matching versions
52north » WPS » Version: 4.0.0 Update Beta10
cpe:2.3:a:52north:wps:4.0.0:beta10:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-6280

EPSS FAQ

0.18%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 38 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-6280

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L	3.9	2.7	Spanish National Cybersecurity Institute, S.A. (INCIBE)
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: Low Integrity: None Availability: Low
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2023-6280

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Assigned by: cve-coordination@incibe.es (Primary)

References for CVE-2023-6280

https://www.incibe.es/en/incibe-cert/notices/aviso/xml-external-entity-reference-52north-wps

XML External Entity Reference on 52North WPS | INCIBE-CERT | INCIBE
Third Party Advisory

Jump to

Vulnerability Details : CVE-2023-6280

Products affected by CVE-2023-6280

Exploit prediction scoring system (EPSS) score for CVE-2023-6280

CVSS scores for CVE-2023-6280

CWE ids for CVE-2023-6280

References for CVE-2023-6280