SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   HPE Fortify Software Security Center Vendors:   HPE, Micro Focus
HPE Fortify Software Security Center XML External Entity Processing Flaw Lets Remote Users Read Files and Conduct Cross-Site Request Forgery Attacks
SecurityTracker Alert ID:  1041286
SecurityTracker URL:  http://securitytracker.com/id/1041286
CVE Reference:   CVE-2018-12463   (Links to External Site)
Date:  Jul 12 2018
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 17.1, 17.2, 18.1
Description:   A vulnerability was reported in HPE Fortify Software Security Center. A remote user can conduct cross-site request forgery attacks. A remote user can conduct XML external entity attacks to obtain files on the target system.

A remote user can supply specially crafted XML External Entity (XXE) data to the target interface to read files on the target system with the privileges of the target service or take actions on the target interface acting as the target user.

Alex Hernandez aka alt3kx reported this vulnerability.

Impact:   A remote user can take actions on the target system acting as the target authenticated user.

A remote user can read files on the target system with the privileges of the target service.

Solution:   The vendor has issued a fix.

The vendor advisory is available at:

https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03201085

Vendor URL:  softwaresupport.hpe.com/document/-/facetsearch/document/KM03201085 (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC