CVE-2024-37388

Published: Jun 7, 2024Modified: Nov 21, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.

Affected (1)

Products: Dnkorpushov: Ebookmeta

Dnkorpushov

1 product

Ebookmeta

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dnkorpushov Ebookmeta	Before 4.9.1

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (2)

https://github.com/dnkorpushov/ebookmeta/issues/16#issue-2317712335

Source: cve@mitre.org

Issue Tracking

https://github.com/dnkorpushov/ebookmeta/issues/16#issue-2317712335

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

Timeline

No history available yet.