CVSS: 6.5EPSS: 1%CPEs: 4EXPL: 2CVE-2019-11216 – BMC Smart Reporting 7.3 20180418 XML Injection
https://notcve.org/view.php?id=CVE-2019-11216
BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed. BMC Smart Reporting versión 7.3 20180418, permite un ataque de tipo XXE autenticado dentro de la funcionalidad import. Se puede importar un archivo XML malicioso y realizar ataques de tipo XXE para desencadenar archivos locales del servidor, o hacer ataques de tipo DoS con ataques de expansión XML. • http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html http://seclists.org/fulldisclosure/2019/Dec/7 https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2019-1010147
https://notcve.org/view.php?id=CVE-2019-1010147
Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later. • https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •