Ektron Content Management System (CMS) versions 8.5, 8.7, and 9.0 contain a XXE and a resource injection vulnerability.
Note: A prior version of this report indicated incorrectly that Ektron CMS version 9.1 was vulnerable. The vendor indicated that the last version to ship with this vulnerability was version 9.0.
CWE-611: Improper Restriction of XML External Entity Reference ('XXE') - CVE-2015-0923
A remote, unauthenticated user may be able to read arbitrary files on the server. In the case of the resource injection vulnerability, a remote, unauthenticated attacker may be able to run arbitrary code on the server at the privilege level of the application.
Apply an Update
Thanks to Matthias Kaiser for reporting this vulnerability.