CVE-2015-0923

2015-02-1403:01:17

certcc

web.nvd.nist.gov

cve-2015-0923

contentblockex method

workarea/servercontrolws.asmx

ektron cms

xml

remote code execution

xxe vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

6.9

Confidence

Low

EPSS

0.774

Percentile

98.2%

JSON

The ContentBlockEx method in Workarea/ServerControlWS.asmx in Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9.0 before sp1 allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity reference within an XML document named in the xslt parameter, related to an XML External Entity (XXE) issue.

Affected configurations

Nvd

Node

ektronektron_content_management_systemMatch8.5.0

ektronektron_content_management_systemMatch8.7.0

ektronektron_content_management_systemMatch8.7.0sp1

ektronektron_content_management_systemMatch8.9.0

VendorProductVersionCPE
ektronektron_content_management_system8.5.0cpe:2.3:a:ektron:ektron_content_management_system:8.5.0:*:*:*:*:*:*:*
ektronektron_content_management_system8.7.0cpe:2.3:a:ektron:ektron_content_management_system:8.7.0:*:*:*:*:*:*:*
ektronektron_content_management_system8.7.0cpe:2.3:a:ektron:ektron_content_management_system:8.7.0:sp1:*:*:*:*:*:*
ektronektron_content_management_system8.9.0cpe:2.3:a:ektron:ektron_content_management_system:8.9.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ektron	ektron_content_management_system	8.5.0	cpe:2.3:a:ektron:ektron_content_management_system:8.5.0:::::::*
ektron	ektron_content_management_system	8.7.0	cpe:2.3:a:ektron:ektron_content_management_system:8.7.0:::::::*
ektron	ektron_content_management_system	8.7.0	cpe:2.3:a:ektron:ektron_content_management_system:8.7.0:sp1::::::
ektron	ektron_content_management_system	8.9.0	cpe:2.3:a:ektron:ektron_content_management_system:8.9.0:::::::*