Ektron Content Management System (CMS) versions 8.5, 8.7, and 9.0 contain a XXE and a resource injection vulnerability.
Note: A prior version of this report indicated incorrectly that Ektron CMS version 9.1 was vulnerable. The vendor indicated that the last version to ship with this vulnerability was version 9.0.
CWE-611: Improper Restriction of XML External Entity Reference ('XXE') - CVE-2015-0923
A remote, unauthenticated user may be able to read arbitrary files on the server. In the case of the resource injection vulnerability, a remote, unauthenticated attacker may be able to run arbitrary code on the server at the privilege level of the application.
Apply an Update
Thanks to Matthias Kaiser for reporting this vulnerability.
This document was written by Chris King.