Security Advisory
1) XML External Entity injection
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C] [PCI]
CVE-ID: CVE-2020-25649
CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
Description
The vulnerability allows a remote attacker to modify information on the system.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and modify information on the system.
Mitigation
Install update from vendor's website.
Vulnerable software versions
JD Edwards EnterpriseOne Orchestrator: 9.2.5.0, 9.2.5.1, 9.2.5.2, 9.2.5.3
CPE
External links
https://www.oracle.com/security-alerts/cpujul2021.html?505645
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
