CVE-2018-1000823

exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
exist-dbexist
𝑥
< 5.0.0
exist-dbexist
5.0.0:rc1
exist-dbexist
5.0.0:rc2
exist-dbexist
5.0.0:rc3
exist-dbexist
5.0.0:rc4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://0dd.zone/2018/10/27/exist-XXE/
https://github.com/eXist-db/exist/issues/2180
https://0dd.zone/2018/10/27/exist-XXE/
https://github.com/eXist-db/exist/issues/2180