CVE-2021-37425

Published: Aug 10, 2021Modified: Nov 21, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.

Affected (2)

Products: Altova: Mobiletogether Server

Altova

1 product

Mobiletogether Server

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Altova Mobiletogether Server	From 7.0 to 7.3
Altova Mobiletogether Server	Version 7.3

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (8)

http://seclists.org/fulldisclosure/2021/Aug/12

Source: cve@mitre.org

ExploitMailing ListThird Party Advisory

https://www.altova.com/mobiletogether

Source: cve@mitre.org

Vendor Advisory

https://www.redteam-pentesting.de/advisories/rt-sa-2021-002

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses

Source: cve@mitre.org

Third Party Advisory

http://seclists.org/fulldisclosure/2021/Aug/12

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMailing ListThird Party Advisory

https://www.altova.com/mobiletogether

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.redteam-pentesting.de/advisories/rt-sa-2021-002

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.