CVE-2018-15444
MEDIUMCisco Energy Management Suite Software - Authenticated XML External Entity Injection via XML File Import
Title source: llmDescription
A vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by convincing a user of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files within the affected application.
References (3)
Core 3
Core References
Broken Link, Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-ems-xml-xxe
Exploit, Mitigation, Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2018-36
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105860
Scores
CVSS v3
6.3
EPSS
0.0201
EPSS Percentile
78.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (1)
cisco/energy_management_suite_software
Published
Nov 08, 2018
Tracked Since
Feb 18, 2026