Summary
This host is running Atlassian Crowd and is prone to xml external entity injection vulnerability.
Impact
Successful exploitation allow remote attackers to gain access to arbitrary files by sending specially crafted XML data.
Solution
Upgrade to version 2.5.4, 2.6.3, 2.7 or higher,
For updates refer to http://www.atlassian.com/software/crowd/download
Insight
Flaw is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source.
Affected
Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9
Detection
Send a crafted data via HTTP POST request and check whether it is able to read the system file or not.
References
Severity
Classification
-
CVE CVE-2013-3925 -
CVSS Base Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N
Related Vulnerabilities
- AdaptCMS Lite Cross Site Scripting and Remote File Include Vulnerabilities
- Apache Tomcat Cross-Site Scripting and Security Bypass Vulnerabilities
- Advantech WebAccess Multiple Stack Based Buffer Overflow Vulnerabilities
- Adobe BlazeDS XML and XML External Entity Injection Vulnerabilities
- An Image Gallery Directory Traversal Vulnerability