Published:2023/10/18  Last Updated:2023/10/18

Improper restriction of XML external entity references (XXE) in Proself


Proself provided by North Grid Corporation improperly restricts XML external entity references (XXE).

Products Affected

  • Proself Enterprise/Standard Edition Ver5.62 and earlier
  • Proself Gateway Edition Ver1.65 and earlier
  • Proself Mail Sanitize Edition Ver1.08 and earlier


Proself provided by North Grid Corporation improperly restricts XML external entity references (XXE) (CWE-611).
The developer states that attacks exploiting this vulnerability have been observed.


By processing a specially crafted request containing malformed XML data, arbitrary files on the server, such as account information, may be read by an attacker.


Update the software
Update the software to the latest version according to the information provided by the developer.

Apply the workaround
Until the software is updated, the developer recommends to apply the workaround to mitigate the impact of this vulnerability.

Stop using the products
According to the developer, the following products are no longer supported. Stop using the vulnerable products and consider switching to alternatives.

  • Proself Enterprise/Standard Edition Ver.4 and earlier


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 7.5
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


North Grid Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and North Grid Corporation coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert JPCERT-AT-2023-0022
Alert Regarding Attacks Exploiting XXE Vulnerability in Proself (Text in Japanese)
JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2023-45727
JVN iPedia JVNDB-2023-000104

Update History

Information under the section [Vendor Status] and [Other Information] was updated