1. Home
  2. CVE Database
  3. CVE-2019-16188
HIGH · 7.1

CVE-2019-16188

HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim a...

Vulnerability Description

HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
HIGH

Affected Products

VendorProductVersions
HcltechAppscan Source< 9.03.13

Related Weaknesses (CWE)

CWE-611

References

FAQ

What is CVE-2019-16188?

CVE-2019-16188 is a vulnerability with a CVSS score of 7.1 (HIGH). HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim a...

How severe is CVE-2019-16188?

CVE-2019-16188 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-16188?

Check the references section above for vendor advisories and patch information. Affected products include: Hcltech Appscan Source.