Inkscape
CVE-2012-5656
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack.
AnalysisAI
The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack. Affected products include: Inkscape, Fedoraproject Fedora, Canonical Ubuntu Linux, Opensuse. Version information: before 0.48.4.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Disable external entity processing in XML parsers, use JSON instead of XML where possible.
Inkscape 1.1 before 1.3 contains a local file disclosure vulnerability in XInclude processing that allows unauthenticate
Inkscape before 0.48.4 reads .eps files from /tmp instead of the current directory, which might cause Inkspace to proces
Share
External POC / Exploit Code
Leaving vuln.today