vulnerability

Cisco AnyConnect: CVE-2018-0100: Cisco AnyConnect Profile Editor XML External Entity Injection Vulnerability

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:L/AC:L/Au:N/C:P/I:P/A:N)	Jan 18, 2018	Dec 16, 2020	Dec 16, 2020

Severity

CVSS

(AV:L/AC:L/Au:N/C:P/I:P/A:N)

Published

Jan 18, 2018

Added

Dec 16, 2020

Modified

Dec 16, 2020

Description

A vulnerability in the Profile Editor of the Cisco AnyConnect Secure Mobility Client could allow an unauthenticated, local attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of the XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by injecting a crafted XML file with malicious entries, which could allow the attacker to read and write files. Cisco Bug IDs: CSCvg19341.

Solution

cisco-anyconnect-upgrade-latest

References

BID-102738
CVE-2018-0100
https://attackerkb.com/topics/CVE-2018-0100
URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-acpe

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today