CVE-2014-3005
CRITICALZabbix 1.8.x-1.8.20 2.0.x-2.0.12 2.2.x-2.2.4 2.3.x-2.3.1 - XML External Entity Injection via DTD in XML Request
Title source: manualDescription
XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.
References (7)
Core 7
Core References
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134885.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/68075
Exploit, Patch, Vendor Advisory x_refsource_confirm
https://support.zabbix.com/browse/ZBX-8151
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134909.html
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Jun/87
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1110496
Exploit, Third Party Advisory x_refsource_misc
https://web.archive.org/web/20140622034155/http://www.pnigos.com:80/?p=273
Scores
CVSS v3
9.8
EPSS
0.0530
EPSS Percentile
91.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (43)
fedoraproject/fedora
19
fedoraproject/fedora
20
zabbix/zabbix
1.8
zabbix/zabbix
1.8.1
zabbix/zabbix
1.8.2
zabbix/zabbix
1.8.3
zabbix/zabbix
1.8.4
zabbix/zabbix
1.8.5
zabbix/zabbix
1.8.6
zabbix/zabbix
1.8.7
... and 33 more
Published
Feb 01, 2018
Tracked Since
Feb 18, 2026