CVE-2016-9487

Published: Jul 13, 2018Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities.

Affected (1)

Products: W3: Epubcheck

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
W3 Epubcheck	Version 4.0.1

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (4)

https://www.kb.cert.org/vuls/id/779243

Source: cret@cert.org

Third Party AdvisoryUS Government Resource

https://www.securityfocus.com/bid/94864/

Source: cret@cert.org

Third Party AdvisoryVDB Entry

https://www.kb.cert.org/vuls/id/779243

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

https://www.securityfocus.com/bid/94864/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.