CVE-2024-25066

Published: Feb 17, 2025Modified: Feb 17, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: MITRE (Secondary)

Description

RSA Authentication Manager before 8.7 SP2 Patch 1 allows XML External Entity (XXE) attacks via a license file, resulting in attacker-controlled files being stored on the product's server. Data exfiltration cannot occur.

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (4)

https://community.rsa.com/s/advisories

Source: cve@mitre.org

https://community.rsa.com/s/article/RSA-Authentication-Manager-8-7-SP2-Patch-1-Readme

Source: cve@mitre.org

https://github.com/KaiwenTM/CVE_POC/blob/main/CVE-2024-25066.txt

Source: cve@mitre.org

https://www.rsa.com/en-us/company/vulnerability-response-policy

Source: cve@mitre.org

Timeline

No history available yet.