FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the middle the call to update the software.
Attack Vector Network
Attack Complexity High
Privileges Required None
Scope Changed
Confidentiality Impact High
Integrity Impact High
Availability Impact High
User Interaction None
No CVSS v3.0
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
AV:N/AC:M/Au:N/C:P/I:P/A:P
Vendors | Products |
---|---|
Frostwire |
|
Configuration 1 [-]
|
References
Link | Resource |
---|---|
https://0dd.zone/2018/10/28/frostwire-XXE-MitM/ | Third Party Advisory |
https://github.com/frostwire/frostwire/issues/829 | Issue Tracking Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-10-03T16:21:59
Updated: 2022-10-03T16:21:59
Reserved: 2018-10-28T00:00:00
Link: CVE-2018-1000828
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-12-20T15:29:01.190
Modified: 2019-10-24T12:31:58.397
Link: CVE-2018-1000828
JSON object: View
Redhat Information
No data.
CWE