1. CVE-Search
  2. CVE-2018-12243
ID CVE-2018-12243
Summary The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to a XML external entity (XXE) exploit, which is a type of issue where XML input containing a reference to an external entity is processed by a weakly configured XML parser. The attack uses file URI schemes or relative paths in the system identifier to access files that should not normally be accessible.
References
Vulnerable Configurations
  • cpe:2.3:a:symantec:messaging_gateway:9.5:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:9.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:9.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:9.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:9.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:9.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:9.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:9.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:9.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.0:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.6.0:patch3:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.6.0:patch3:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.6.0:patch5:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.6.0:patch5:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.6.0:patch7:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.6.0:patch7:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:messaging_gateway:10.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:messaging_gateway:10.6.5:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 08-12-2018 - 02:31)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
ADJACENT_NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:A/AC:L/Au:N/C:P/I:P/A:P
refmap via4
bid 105330
confirm https://support.symantec.com/en_US/article.SYMSA1461.html
Last major update 08-12-2018 - 02:31
Published 19-09-2018 - 15:29
Last modified 08-12-2018 - 02:31
Back to Top