How severe is CVE-2019-14277?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2019-14277?

This is classified as CWE-91, which is a common weakness in software security.

CVE-2019-14277 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the REST API. This vulnerability can lead to local file disclosure, DoS, or URI invocation attacks (i.e., SSRF with resultant remote code execution). NOTE: The vendor disputes this issues as not being a vulnerability because “All attacks that use external entities are blocked (no external DTD or file inclusions, no SSRF). The impact on confidentiality, integrity and availability is not proved on any version.

Related Vulnerabilities

CVE-2013-4857

CRITICAL

CVSS:9.8(Critical)

D-Link DIR-865L has PHP File Inclusion in the router xml file.

CWE-912013

CVE-2013-7429

CRITICAL

CVSS:9.8(Critical)

The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to conduct XML injection attacks via the url parameter to plugin_googlemap2_proxy.php.

CWE-912013

CVE-2015-6970

CRITICAL

CVSS:9.8(Critical)

The web interface in Bosch Security Systems NBN-498 Dinion2X Day/Night IP Cameras with H.264 Firmware 4.54.0026 allows remote attackers to conduct XML injection attacks via the idstring parameter to r...

CWE-912015

CVE-2019-16941

CRITICAL

CVSS:9.8(Critical)

NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in...

CWE-912019

CVE-2019-17626

CRITICAL

CVSS:9.8(Critical)

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

CWE-912019

CVE-2019-19450

CRITICAL

CVSS:9.8(Critical)

paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar c...

CWE-912019