vulnerability

Cisco AnyConnect: CVE-2018-0100: Cisco AnyConnect Profile Editor XML External Entity Injection Vulnerability

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:L/AC:L/Au:N/C:P/I:P/A:N)	2018-01-18	2020-12-16	2020-12-16

Severity

CVSS

(AV:L/AC:L/Au:N/C:P/I:P/A:N)

Published

2018-01-18

Added

2020-12-16

Modified

2020-12-16

Description

A vulnerability in the Profile Editor of the Cisco AnyConnect Secure Mobility Client could allow an unauthenticated, local attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of the XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by injecting a crafted XML file with malicious entries, which could allow the attacker to read and write files. Cisco Bug IDs: CSCvg19341.

Solution

cisco-anyconnect-upgrade-latest

References

BID-102738
CVE-2018-0100
https://attackerkb.com/topics/CVE-2018-0100
URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-acpe

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today