CVE-2021-30137 — HIGH (7.7)

Vulnerability Description

Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. The application allows users to send JSON or XML data to the server. It was possible to inject malicious XML data through several access points.

CVSS Score

7.7

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Axiossystems	Assyst	10

Related Weaknesses (CWE)

CWE-611

References

https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2021-30137.pdfExploitThird Party Advisory
https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2021-30137.pdfExploitThird Party Advisory

FAQ

What is CVE-2021-30137?

CVE-2021-30137 is a vulnerability with a CVSS score of 7.7 (HIGH). Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. The application allows users to send JSON or XML data to the server. It was possible to inject malicious XML data through s...

How severe is CVE-2021-30137?

CVE-2021-30137 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-30137?

Check the references section above for vendor advisories and patch information. Affected products include: Axiossystems Assyst.