Vulnerability Description
An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Carrier | Automatedlogic Webctrl | 6.0 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/148126/WebCTRL-Out-Of-Band-XML-Injection.htThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2018/Jun/21Mailing ListThird Party Advisory
- https://hateshape.github.io/general/2018/06/07/CVE-2018-8819.htmlExploitThird Party Advisory
- http://packetstormsecurity.com/files/148126/WebCTRL-Out-Of-Band-XML-Injection.htThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2018/Jun/21Mailing ListThird Party Advisory
- https://hateshape.github.io/general/2018/06/07/CVE-2018-8819.htmlExploitThird Party Advisory
FAQ
What is CVE-2018-8819?
CVE-2018-8819 is a vulnerability with a CVSS score of 7.5 (HIGH). An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parse...
How severe is CVE-2018-8819?
CVE-2018-8819 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-8819?
Check the references section above for vendor advisories and patch information. Affected products include: Carrier Automatedlogic Webctrl.