Description

Security-Assessment.com discovered that multiple Adobe products with different Data Services versions are vulnerable to XML External Entity (XXE) and XML injection attacks. XML external Entities injection allows a wide range of XML based attacks, including local file disclosure, TCP scans and Denial of Service condition, which can be achieved by recursive entity injection, attribute blow up and other types of injection. For more information about the implications associated to this vulnerability, refer to the RFC2518 (17.7 Implications of XML External Entities): http://www.ietf.org/rfc/rfc2518.txt.
The vendor has released several patches for this vulnerability. Consult Web References for more information.

Remediation

References

Multiple Adobe Products - XML External Entity Injection And XML Injection

Security update available for BlazeDS

XML External Entity (XXE) Processing

Related Vulnerabilities

WordPress Plugin Font Awesome Information Disclosure (4.0.0-rc16)

VirtueMart access control bypass

WordPress Plugin WP CSS 'wp-css-compress.php' Local File Disclosure (2.0.5)

GraphQL Non-JSON Queries over GET: Potential CSRF Vulnerability

Deserialization of Untrusted Data (Java JSON Deserialization) JsonIO

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Configuration Denial Of Service Information Disclosure XXE