Ocsinventory Ng
CVE-2018-14473
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service.
AnalysisAI
OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service. Affected products include: Ocsinventory-Ng Ocsinventory Ng.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Disable external entity processing in XML parsers, use JSON instead of XML where possible.
More in Ocsinventory Ng
View allOCS Inventory 2.4.1 is prone to a remote command-execution vulnerability. Rated high severity (CVSS 8.8), this vulnerabi
OCS Inventory 2.4.1 contains multiple SQL injections in the search engine. Rated high severity (CVSS 8.8), this vulnerab
OCS Inventory NG ocsreports 2.4 and ocsreports 2.3.1 version 2.4 and 2.3.1 contains a SQL Injection vulnerability in web
OCS Inventory OCS Inventory NG version ocsreports 2.4 contains a Cross Site Scripting (XSS) vulnerability in login form
Unrestricted file upload (with remote code execution) in OCS Inventory NG ocsreports allows a privileged user to gain ac
Multiple cross-site scripting (XSS) vulnerabilities in the OCS Reports Web Interface in OCS Inventory NG allow remote at
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today