CVE-2024-37397

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022

Configurations

No configuration.

History

13 Sep 2024, 16:35

Type	Values Removed	Values Added
CWE	~~CWE-200~~	CWE-611

12 Sep 2024, 15:35

Type	Values Removed	Values Added
CWE		CWE-200

12 Sep 2024, 12:35

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de entidad XML externa (XXE) en el servicio web de aprovisionamiento de Ivanti EPM antes de 2022 SU6 o la actualización de septiembre de 2024 permite que un atacante remoto no autenticado filtre secretos de API.

12 Sep 2024, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-12 02:15

Updated : 2024-09-13 16:35

NVD link : CVE-2024-37397

Mitre link : CVE-2024-37397

CVE.ORG link : CVE-2024-37397

JSON object : View

Products Affected

No product.

CWE

CWE-611

Improper Restriction of XML External Entity Reference

8.2 /10