CVE-2018-17289
MEDIUMKofax Front Office Server 4.1.1.11.0.5212 - Authenticated XML External Entity Injection via Package Configuration Upload
Title source: llmDescription
An XML external entity (XXE) vulnerability in Kofax Front Office Server Administration Console version 4.1.1.11.0.5212 allows remote authenticated users to read arbitrary files via crafted XML inside an imported package configuration (.ZIP file) within the Kofax/KFS/Admin/PackageService/package/upload file parameter.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2018-17289-XXE-Kofax
Scores
CVSS v3
6.5
EPSS
0.0154
EPSS Percentile
71.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (1)
kofax/front_office_server
4.1.1.11.0.5212
Published
Apr 18, 2019
Tracked Since
Feb 18, 2026