CVE-2018-1000548

EUVD-2018-1937
Umlet version < 14.3 contains a XML External Entity (XXE) vulnerability in File parsing that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted UXF file. This vulnerability appears to have been fixed in 14.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
Affected Products (NVD)
VendorProductVersion
umletumlet
𝑥
< 14.3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
umlet
artful
ignored
bionic
needs-triage
cosmic
ignored
disco
ignored
eoan
ignored
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
needs-triage
Common Weakness Enumeration
References
http://0dd.zone/2018/04/23/UMLet-XXE/
https://github.com/umlet/umlet/issues/500
http://0dd.zone/2018/04/23/UMLet-XXE/
https://github.com/umlet/umlet/issues/500