CVE-2018-25142
7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| NovaRad Corporation | NovaPACS Diagnostics Viewer | 8.5.19.75 | affected |
Weaknesses
- CWE-611: Improper Restriction of XML External Entity Reference
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5488.php
- https://www.exploit-db.com/exploits/45337
References
- https://www.exploit-db.com/exploits/45337
- https://www.novarad.net
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5488.php
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.