CVE-2020-25750

Published: Sep 18, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in DotPlant2 before 2020-09-14. In class Pay2PayPayment in payment/Pay2PayPayment.php, there is an XXE vulnerability in the checkResult function. The user input ($_POST['xml']) is used for simplexml_load_string without sanitization. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Affected (1)

Products: Dotplant: Dotplant2

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dotplant Dotplant2	Before 2020-09-14

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (2)

https://github.com/DevGroup-ru/dotplant2/issues/400

Source: cve@mitre.org

ExploitPatchThird Party Advisory

https://github.com/DevGroup-ru/dotplant2/issues/400

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.