CVE-2021-33208: XML External Entity (XXE)
Vendor: Software AG
Vendor URL: https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default
Versions affected: MashZone NextGen 10.7 GA | Build 1607 (Vendor did not provide data about other affected versions)
Discovered by: Marcos Díaz
Public fix: No
Proof of Concept: No
Summary
MashZone NextGen 10.7 GA | Build 1607 and likely other/older versions, are affected by a XXE vulnerability.
Details
MashZone NextGen uses a XML file to setup a feature called "Ehcache". It is possible to include XML external entities in this file that are evaluated by the application's XML parser.
Impact
Leak of internal files / DoS / SSRF.
Recommendation
Make sure you have changed the default administrative credentials. At this point we do not have information about a fix from Software AG.
Timeline
- 19/05/2021 - Reported vulnerability to vendor
- 31/08/2021 - A representative from Software AG asks for details
- 30/03/2022 - Public Disclosure