CVE-2021-27184
HIGHPelco Digital Sentry Server 7.18.72.11464 - XML External Entity Injection via ControlPointCacheShare.xml
Title source: llmDescription
Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\Pelco directory) when DSControlPoint.exe is executed.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://support.pelco.com/s/article/What-is-the-Digital-Sentry-software-release-revision-history
Exploit, Third Party Advisory x_refsource_misc
https://github.com/vitorespf/Advisories/blob/master/Pelco_Digital_Sentry_Server.txt
Scores
CVSS v3
7.5
EPSS
0.0159
EPSS Percentile
72.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (1)
pelco/digital_sentry_server
7.18.72.11464
Published
Feb 11, 2021
Tracked Since
Feb 18, 2026