CVE-2013-4034

IBM Cognos Business Intelligence 8.4.1-10.2.1.1 - Authenticated XML External Entity Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-4034. PoCs published by IBM.

AI-analyzed exploit summary This XML payload exploits an XXE (XML External Entity) vulnerability in IBM Cognos Business Intelligence, allowing an attacker to read arbitrary files (e.g., /etc/passwd) by referencing an external entity. The vulnerability arises from improper parsing of XML input, leading to information disclosure.

Description

IBM Cognos Business Intelligence 8.4.1 before IF3, 10.1.0 before IF4, 10.1.1 before IF4, 10.2.0 before IF4, 10.2.1 before IF2, and 10.2.1.1 before IF1 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Exploits (1)

exploitdb WORKING POC VERIFIED

by IBM · xmlremotemultiple

https://www.exploit-db.com/exploits/38825

View Code ZIP pw:eip

This XML payload exploits an XXE (XML External Entity) vulnerability in IBM Cognos Business Intelligence, allowing an attacker to read arbitrary files (e.g., /etc/passwd) by referencing an external entity. The vulnerability arises from improper parsing of XML input, leading to information disclosure.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: IBM Cognos Business Intelligence 10.2.1 and prior

No auth needed

Prerequisites: Ability to send crafted XML input to the vulnerable application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

http://www-01.ibm.com/support/docview.wss?uid=swg21652590

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/86137

Scores

EPSS 0.0556

EPSS Percentile 91.8%

Details

CWE

CWE-264

Status published

Products (6)

ibm/cognos_business_intelligence 8.4.1

ibm/cognos_business_intelligence 10.1

ibm/cognos_business_intelligence 10.1.1

ibm/cognos_business_intelligence 10.2

ibm/cognos_business_intelligence 10.2.1

ibm/cognos_business_intelligence 10.2.1.1

Published Nov 18, 2013

Tracked Since Feb 18, 2026