CVE-2017-13706 - OpenCVE

XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Lansweeper	Lansweeper

Configuration 1 [-]

cpe:2.3:a:lansweeper:lansweeper:*:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2017/Oct/14	Mailing List Third Party Advisory
https://www.lansweeper.com/changelog.aspx	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-10T13:00:00

Updated: 2017-10-10T12:57:01

Reserved: 2017-08-27T00:00:00

Link: CVE-2017-13706

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-10-10T13:29:00.343

Modified: 2017-11-05T22:43:09.663

Link: CVE-2017-13706

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-10-04T00:00:00", "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-10T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20171007 CVE-2017-13706, Lansweeper 6.0.100.29 XXE Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2017/Oct/14"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.lansweeper.com/changelog.aspx"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-13706", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20171007 CVE-2017-13706, Lansweeper 6.0.100.29 XXE Vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2017/Oct/14"}, {"name": "https://www.lansweeper.com/changelog.aspx", "refsource": "CONFIRM", "url": "https://www.lansweeper.com/changelog.aspx"}, {"name": "http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-13706", "datePublished": "2017-10-10T13:00:00", "dateReserved": "2017-08-27T00:00:00", "dateUpdated": "2017-10-10T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lansweeper:lansweeper:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E62F9A0-D77A-4C0F-9488-3E5F8E250E4D", "versionEndIncluding": "6.0.100.29", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705."}, {"lang": "es", "value": "Vulnerabilidad XEE (XML External Entity) en la funcionalidad de importaci\u00f3n de paquetes del m\u00f3dulo deployment en Lansweeper en versiones anteriores a la 6.0.100.67 permite que usuarios autenticados remotos obtengan informaci\u00f3n sensible, provoquen una denegaci\u00f3n de servicio, realicen ataques SSRF (Server-Side Request Forgery), realicen escaneos de puertos internos o provoquen otro impacto no especificado mediante una petici\u00f3n XML. Esta vulnerabilidad tambi\u00e9n se conoce como bug #572705."}], "id": "CVE-2017-13706", "lastModified": "2017-11-05T22:43:09.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-10T13:29:00.343", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2017/Oct/14"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.lansweeper.com/changelog.aspx"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}