CVE-2020-7032 – Avaya WebLM Improper Restriction of XML External Entity Reference

https://notcve.org/view.php?id=CVE-2020-7032

An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2. Una vulnerabilidad de tipo XML external entity (XXE) en la interfaz de administración de Avaya WebLM, permite a usuarios autenticados leer archivos arbitrarios o realizar ataques de tipo server-side request forgery (SSRF) por medio de un DTD diseñado en una petición XML. Las versiones afectadas de Avaya WebLM incluyen: versiones 7.0 hasta 7.1.3.6 y versiones 8.0 hasta 8.1.2 Avaya Web License Manager versions 6.x, 7.0 through 7.1.3.6, and 8.0 through 8.1.2.0.0 suffer from a blind out-of-band XML external entity injection vulnerability. • http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html http://seclists.org/fulldisclosure/2020/Nov/31 https://downloads.avaya.com/css/P8/documents/101072249 https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager • CWE-611: Improper Restriction of XML External Entity Reference •