CVE-2018-0207
low-risk
Published 2018-03-08
A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70595.
Do I need to act?
-
0.46% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.3/10
Low
LOCAL
/ LOW complexity
Affected Products (1)
Secure Access Control Server Solution Engine
Affected Vendors
References (6)
Third Party Advisory
http://www.securityfocus.com/bid/103343
Third Party Advisory
http://www.securitytracker.com/id/1040470
Third Party Advisory
http://www.securityfocus.com/bid/103343
Third Party Advisory
http://www.securitytracker.com/id/1040470
20
/ 100
low-risk
Severity
13/34 · Low
Exploitability
2/34 · Minimal
Exposure
5/34 · Minimal