CVE-2023-6280

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-6280
An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. This vulnerability allows the use of external entities in its WebProcessingService servlet for an attacker to retrieve files by making HTTP requests to the internal network.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/xml-external-entity-reference-52north-wps Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:52north:wps:*:*:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta10:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta7:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta8:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta9:*:*:*:*:*:*
History

28 Dec 2023, 19:02

Type Values Removed Values Added
CPE cpe:2.3:a:52north:wps:4.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta8:*:*:*:*:*:*
cpe:2.3:a:52north:wps:*:*:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta9:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta10:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta7:*:*:*:*:*:*
cpe:2.3:a:52north:wps:4.0.0:beta1:*:*:*:*:*:*
Summary
  • (es) Se ha detectado una vulnerabilidad XXE (XML External Entity) en 52North WPS que afecta a versiones anteriores a la 4.0.0-beta.11. Esta vulnerabilidad permite el uso de entidades externas en su servlet WebProcessingService para que un atacante recupere archivos realizando solicitudes HTTP a la red interna.
CVSS v2 : unknown
v3 : 7.2 		v2 : unknown
v3 : 7.5
References () https://www.incibe.es/en/incibe-cert/notices/aviso/xml-external-entity-reference-52north-wps - () https://www.incibe.es/en/incibe-cert/notices/aviso/xml-external-entity-reference-52north-wps - Third Party Advisory
First Time 52north wps
52north

19 Dec 2023, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-19 15:15

Updated : 2024-04-11 01:23

NVD link : CVE-2023-6280

Mitre link : CVE-2023-6280

CVE.ORG link : CVE-2023-6280

JSON object : View

Products Affected

52north

  • wps
CWE
CWE-611

Improper Restriction of XML External Entity Reference