CVE-2022-32458

Published: Jul 20, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: twcert@cert.org.tw (Secondary)

Description

Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.

Affected (1)

Products: Digiwin: Business Process Management

Digiwin

1 product

Business Process Management

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Digiwin Business Process Management	Before 5.8.8.1

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (4)

https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb

Source: twcert@cert.org.tw

Third Party Advisory

https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html

Source: twcert@cert.org.tw

Third Party Advisory

https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.