Description
FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the middle the call to update the software.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://0dd.zone/2018/10/28/frostwire-XXE-MitM/
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/frostwire/frostwire/issues/829
Scores
CVSS v3
9.0
EPSS
0.0133
EPSS Percentile
67.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (25)
frostwire/frostwire
1.9.9 build246 (2 CPE variants)
frostwire/frostwire
2.0.7 build263
frostwire/frostwire
6.1.6 build166 (2 CPE variants)
frostwire/frostwire
6.1.7 build168
frostwire/frostwire
6.1.8 build169
frostwire/frostwire
6.1.9 build172
frostwire/frostwire
6.2.0 build173 (2 CPE variants)
frostwire/frostwire
6.2.1 build175
frostwire/frostwire
6.2.2 build176
frostwire/frostwire
6.2.3 build177 (2 CPE variants)
... and 15 more
Published
Dec 20, 2018
Tracked Since
Feb 18, 2026