CVE-2020-7572

HIGH

EcoStruxure Building Operation WebReports 1.9-3.1 - Authenticated XML External Entity Injection

Title source: llm
STIX 2.1

Description

A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary XML code and obtain disclosure of confidential data, denial of service, server side request forgery due to improper configuration of the XML parser.

References (1)

Core 1
Core References
Patch, Product, Vendor Advisory x_refsource_misc
https://www.se.com/ww/en/download/document/SEVD-2020-315-04/

Scores

CVSS v3 8.8
EPSS 0.0047
EPSS Percentile 64.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-611
Status published
Products (1)
schneider-electric/webreports 1.9 - 3.1
Published Nov 19, 2020
Tracked Since Feb 18, 2026