CVE-2023-3892

MEDIUM IN THE WILD

MIM Assistant/C - XML External Entity Reference

Title source: llm

Exploitation Summary

CVE-2023-3892 has been observed exploited in the wild (reported by InTheWild.io).

Description

Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this document into specific 3rd party private RTst metadata tags, transfer the now compromised DICOM object to MIM, and force MIM to archive and load the data. Users on either version are strongly encouraged to update to an unaffected version (7.2.11+, 7.3.4+). This issue was found and analyzed by MIM Software's internal security team. We are unaware of any proof of concept or actual exploit available in the wild. For more information, visit https://www.mimsoftware.com/cve-2023-3892 https://www.mimsoftware.com/cve-2023-3892 This issue affects MIM Assistant: 7.2.10, 7.3.3; MIM Client: 7.2.10, 7.3.3.

References (1)

Core 1

Core References

Vendor Advisory

https://www.mimsoftware.com/cve-2023-3892

Scores

CVSS v3 5.6

EPSS 0.0022

EPSS Percentile 11.9%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

InTheWild.io 2023-09-19

CWE

CWE-611

Status published

Products (4)

mimsoftware/assistant 7.2.10

mimsoftware/assistant 7.3.3

mimsoftware/client 7.2.10

mimsoftware/client 7.3.3

Published Sep 19, 2023

Tracked Since Feb 18, 2026