CVE-2023-23595
HIGHBlueCat Device Registration Portal 2.2 - XML External Entity Injection
Title source: llmDescription
BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected.
References (3)
Core 3
Core References
Product, Vendor Advisory
https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/
Technical Description, Third Party Advisory
https://everything.curl.dev/usingcurl/netrc
Exploit, Third Party Advisory
https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP
Scores
CVSS v3
7.5
EPSS
0.0095
EPSS Percentile
56.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (1)
bluecatnetworks/device_registration_portal
2.2
Published
Jan 15, 2023
Tracked Since
Feb 18, 2026