SYNC-2019-111401 - XXE Vulnerabilities In Oxygen XML Suite of Products
Severity: Medium2019-11-14 17:48:14
Abstract
The handling of XML documents in Oxygen XML Editor/Author/Developer is vulnerable to attacks based on XML External Entities (XXE). This applies only to documents that contain embedded DTDs and Entity declarations.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Editor 21.1 and older versions | Medium | Oxygen XML
Editor 21.1 build 2019120214 Oxygen XML Editor 20.1 build 2019120217 Oxygen XML Editor 19.1 build 2019121015 |
Oxygen XML Developer 21.1 and older versions | Medium | Oxygen
XML Developer 21.1 build 2019120214 Oxygen XML Developer 20.1 build 2019120217 Oxygen XML Developer 19.1 build 2019121015 |
Oxygen XML Author 21.1 and older versions | Medium | Oxygen XML
Author 21.1 build 2019120214 Oxygen XML Author 20.1 build 2019120217 Oxygen XML Author 19.1 build 2019121015 |
Detail
SYNC-2019-111401
Severity: Medium
CVSS Score: 6.5
This is a medium-severity issue. Because the embedded XML parser does not offer enough control over the location of files it opens, this XXE vulnerability allows execution of specially crafted XML files. Thus, the attacker can read files that are accessible to the Oxygen XML process currently running. In order to be successful, the attacker should have very good knowledge of the files location in your file system to be able to access the information stored on your computer.
Revision History
2019-12-04 Initial release availability for v21.1, v20.1 and v19.1.
2019-12-11 Secondary release availability for v19.1. The initial release of v19.1 (2019120219) for this advisory did not cover all scenarios.
This issue was identified and responsibly reported by Pablo Santiago
If you have questions about the security features of an Oxygen product or require technical support, please contact us on .
If you want to download product updates, please visit our Download page.
Please only use the e-mail address for reporting security issues.