CVE-2018-1000828

FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the middle the call to update the software.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9 CRITICAL
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
frostwirefrostwire
1.9.9:build246
frostwirefrostwire
1.9.9:build247
frostwirefrostwire
2.0.7:build263
frostwirefrostwire
6.1.6:build166
frostwirefrostwire
6.1.6:build167
frostwirefrostwire
6.1.7:build168
frostwirefrostwire
6.1.8:build169
frostwirefrostwire
6.1.9:build172
frostwirefrostwire
6.2.0:build173
frostwirefrostwire
6.2.0:build174
frostwirefrostwire
6.2.1:build175
frostwirefrostwire
6.2.2:build176
frostwirefrostwire
6.2.3:build177
frostwirefrostwire
6.2.3:build178
frostwirefrostwire
6.2.4:build179
frostwirefrostwire
6.3.0:build180
frostwirefrostwire
6.3.0:build181
frostwirefrostwire
6.3.0:build182
frostwirefrostwire
6.3.0:build183
frostwirefrostwire
6.3.0:build184
frostwirefrostwire
6.3.0:build185
frostwirefrostwire
6.3.1:build186
frostwirefrostwire
6.3.2:build187
frostwirefrostwire
6.3.2:build188
frostwirefrostwire
6.3.3:build189
frostwirefrostwire
6.3.3:build190
frostwirefrostwire
6.3.3:build193
frostwirefrostwire
6.3.3:build255
frostwirefrostwire
6.3.4:build193
frostwirefrostwire
6.3.4:build194
frostwirefrostwire
6.3.5:build195
frostwirefrostwire
6.3.5:build197
frostwirefrostwire
6.3.5:build198
frostwirefrostwire
6.3.6:build201
frostwirefrostwire
6.3.6:build202
frostwirefrostwire
6.3.7:build203
frostwirefrostwire
6.3.7:build204
frostwirefrostwire
6.3.7:build205
frostwirefrostwire
6.3.7:build206
frostwirefrostwire
6.4.0:build207
frostwirefrostwire
6.4.0:build208
frostwirefrostwire
6.4.1:build209
frostwirefrostwire
6.4.1:build210
frostwirefrostwire
6.4.2:build212
frostwirefrostwire
6.4.3:build214
frostwirefrostwire
6.4.4:build215
frostwirefrostwire
6.4.5:build218
frostwirefrostwire
6.4.5:build219
frostwirefrostwire
6.4.5:build220
frostwirefrostwire
6.4.5:build221
frostwirefrostwire
6.4.5:build222
frostwirefrostwire
6.4.6:build223
frostwirefrostwire
6.4.6:build227
frostwirefrostwire
6.4.7:build228
frostwirefrostwire
6.4.7:build229
frostwirefrostwire
6.4.8:build230
frostwirefrostwire
6.4.8:build232
frostwirefrostwire
6.4.8:build233
frostwirefrostwire
6.4.8:build234
frostwirefrostwire
6.4.9:build235
frostwirefrostwire
6.5.0:build236
frostwirefrostwire
6.5.1:build238
frostwirefrostwire
6.5.2:build239
frostwirefrostwire
6.5.3:build240
frostwirefrostwire
6.5.4:build241
frostwirefrostwire
6.5.5:build242
frostwirefrostwire
6.5.5:build243
frostwirefrostwire
6.5.8:build244
frostwirefrostwire
6.5.8:build245
frostwirefrostwire
6.5.9:build246
frostwirefrostwire
6.6.0:build248
frostwirefrostwire
6.6.1:build249
frostwirefrostwire
6.6.2:build250
frostwirefrostwire
6.6.2:build251
frostwirefrostwire
6.6.3:build252
frostwirefrostwire
6.6.3:build253
frostwirefrostwire
6.6.4:build256
frostwirefrostwire
6.6.5:build257
frostwirefrostwire
6.6.6:build258
frostwirefrostwire
6.6.7:build529
frostwirefrostwire
6.6.8:build260
frostwirefrostwire
6.7.0:build261
frostwirefrostwire
6.7.0:build262
frostwirefrostwire
6.7.0:build264
frostwirefrostwire
6.7.0:build265hotfix
frostwirefrostwire
6.7.1:build266
frostwirefrostwire
6.7.1:build267
frostwirefrostwire
6.7.1:build268
frostwirefrostwire
6.7.2:build269
frostwirefrostwire
6.7.2:build270
frostwirefrostwire
6.7.3:build271
frostwirefrostwire
6.7.4:build272
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://0dd.zone/2018/10/28/frostwire-XXE-MitM/
https://github.com/frostwire/frostwire/issues/829
https://0dd.zone/2018/10/28/frostwire-XXE-MitM/
https://github.com/frostwire/frostwire/issues/829