CVE-2020-25020

Published: Aug 29, 2020Modified: May 5, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.

Affected (7)

Products: Mpxj: Mpxj · Oracle: Primavera Unifier

1 product

1 product

Primavera Unifier

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mpxj Mpxj	Up to 8.1.3

Configuration B

6 vulnerable

Vulnerable Software	Affected Versions
Oracle Primavera Unifier	From 17.7 to 17.12
Oracle Primavera Unifier	Version 16.1
Oracle Primavera Unifier	Version 16.2
Oracle Primavera Unifier	Version 18.8
Oracle Primavera Unifier	Version 19.12
Oracle Primavera Unifier	Version 20.12

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (4)

https://github.com/joniles/mpxj/pull/178/commits/c3e457f7a16facfe563eade82b0fa8736a8c96f9

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/joniles/mpxj/pull/178/commits/c3e457f7a16facfe563eade82b0fa8736a8c96f9

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.