CVE-2020-26981
MEDIUMSiemens JT2Go and Teamcenter Visualization < 13.1.0 - XML External Entity Injection via Crafted XML File
Title source: llmDescription
A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0). When opening a specially crafted xml file, the application could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external dtd. (ZDI-CAN-11890)
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-21-048/
Scores
CVSS v3
6.5
EPSS
0.0040
EPSS Percentile
61.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (2)
siemens/jt2go
< 13.1.0
siemens/teamcenter_visualization
< 13.1.0
Published
Jan 12, 2021
Tracked Since
Feb 18, 2026