Keysight Ixia Vision Product Family External XML Entity Injection Vulnerability Allowing Arbitrary File Download

A vulnerability allowing external XML entity injection has been identified in the Keysight Ixia Vision Product Family, specifically in version 6.3.1. This vulnerability allows for the arbitrary download of files, and although it requires a privileged account for exploitation, it could lead to further compromise of the device when combined with other issues. The vulnerability arises from improper restriction of XML external entity references, which could be exploited to inject malicious XML that the application processes, potentially leading to unauthorized file access or manipulation.

Impact

Exploitation of this vulnerability could allow an attacker to download arbitrary files from the affected device, and in combination with other vulnerabilities, could facilitate further compromise of the device.

Remediation

Keysight recommends that all users upgrade to the latest version of the software as soon as possible. For more information about the Ixia Vision Product Family, visit the Ixia product support page. Questions can be directed to Keysight.