CVE-2019-11216
MEDIUMBMC Remedy Smart Reporting 9.1.03 - Authenticated XML External Entity Injection via Import Functionality
Title source: llmDescription
BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed.
References (3)
Core 3
Core References
Product x_refsource_misc
https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html
Exploit, Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/fulldisclosure/2019/Dec/7
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html
Scores
CVSS v3
6.5
EPSS
0.0184
EPSS Percentile
76.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
Details
CWE
CWE-434
CWE-611
Status
published
Products (1)
bmc/remedy_smart_reporting
9.1.03 - 9.1.03.001
Published
Dec 04, 2019
Tracked Since
Feb 18, 2026