JVN#95981460
Improper restriction of XML external entity references (XXE) in Proself
Critical
Overview
Proself provided by North Grid Corporation improperly restricts XML external entity references (XXE).
Products Affected
- Proself Enterprise/Standard Edition Ver5.62 and earlier
- Proself Gateway Edition Ver1.65 and earlier
- Proself Mail Sanitize Edition Ver1.08 and earlier
Description
Proself provided by North Grid Corporation improperly restricts XML external entity references (XXE) (CWE-611).
The developer states that attacks exploiting this vulnerability have been observed.
Impact
By processing a specially crafted request containing malformed XML data, arbitrary files on the server, such as account information, may be read by an attacker.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
Apply the workaround
Until the software is updated, the developer recommends to apply the workaround to mitigate the impact of this vulnerability.
Stop using the products
According to the developer, the following products are no longer supported. Stop using the vulnerable products and consider switching to alternatives.
- Proself Enterprise/Standard Edition Ver.4 and earlier
Vendor Status
| Vendor | Link |
| North Grid Corporation | [Urgent] Attacks exploiting a zero-day vulnerability (CVE-2023-45727) of Proself (updated) (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
North Grid Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and North Grid Corporation coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
JPCERT-AT-2023-0022 Alert Regarding Attacks Exploiting XXE Vulnerability in Proself (Text in Japanese) |
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-45727 |
| JVN iPedia |
JVNDB-2023-000104 |
Update History
- 2023/10/18
- Information under the section [Vendor Status] and [Other Information] was updated