CVE-2020-14204 — HIGH (8.2)

Vulnerability Description

In WebFOCUS Business Intelligence 8.0 (SP6), the administration portal allows remote attackers to read arbitrary local files or forge server-side HTTP requests via a crafted HTTP request to /ibi_apps/WFServlet.cfg because XML external entity injection is possible. This is related to making changes to the application repository configuration.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Ibi	Webfocus Business Intelligence	8.0

Related Weaknesses (CWE)

CWE-611

References

https://www.hooperlabs.xyz/disclosures/webfocus.phpTechnical DescriptionThird Party Advisory
https://www.hooperlabs.xyz/disclosures/webfocus.phpTechnical DescriptionThird Party Advisory

FAQ

What is CVE-2020-14204?

CVE-2020-14204 is a vulnerability with a CVSS score of 8.2 (HIGH). In WebFOCUS Business Intelligence 8.0 (SP6), the administration portal allows remote attackers to read arbitrary local files or forge server-side HTTP requests via a crafted HTTP request to /ibi_apps/...

How severe is CVE-2020-14204?

CVE-2020-14204 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-14204?

Check the references section above for vendor advisories and patch information. Affected products include: Ibi Webfocus Business Intelligence.