Vulnerability Note VU#377644
Ektron Content Management System (CMS) contains multiple vulnerabilities
Ektron Content Management System (CMS) versions 8.5, 8.7, and 9.0 contain a XXE and a resource injection vulnerability.
Note: A prior version of this report indicated incorrectly that Ektron CMS version 9.1 was vulnerable. The vendor indicated that the last version to ship with this vulnerability was version 9.0.
CWE-611: Improper Restriction of XML External Entity Reference ('XXE') - CVE-2015-0923
A remote, unauthenticated user may be able to read arbitrary files on the server. In the case of the resource injection vulnerability, a remote, unauthenticated attacker may be able to run arbitrary code on the server at the privilege level of the application.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Ektron||Affected||05 Nov 2014||13 Jan 2015|
CVSS Metrics (Learn More)
Thanks to Matthias Kaiser for reporting this vulnerability.
This document was written by Chris King.
- CVE IDs: CVE-2015-0923 CVE-2015-0931
- Date Public: 05 Feb 2014
- Date First Published: 05 Feb 2015
- Date Last Updated: 10 Feb 2015
- Document Revision: 36
If you have feedback, comments, or additional information about this vulnerability, please send us email.