Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVE-2021-38490

High

7.5/10

Summary

Altova MobileTogether Server before 7.3 SP1 allows XML exponential entity expansion, a different vulnerability than CVE-2021-37425.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

References

Advisory Timeline

Published Aug 10, 2021

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVE-2021-38490

Summary

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS