Exagrid EX10 Privilege Escalation and Information Disclosure Vulnerability via XML External Entities Injection
Vulnerability
A vulnerability allowing XML external entities (XXE) injection has been identified in the Exagrid EX10 product version 7.0.1p02. This vulnerability exists in the '/init' API endpoint and allows an authenticated, unprivileged attacker to escalate privileges and disclose sensitive information by sending a crafted ISys XML message. The XXE injection arises because external DTD processing is not disabled, enabling attackers to read sensitive system files through verbose error messages.
Impact
Exploitation of this vulnerability could lead to unauthorized privilege escalation and disclosure of sensitive information from the affected system.
Reproduction
To reproduce this vulnerability, an authenticated user can send a POST request to the '/init' API endpoint with a crafted XML message that includes an external DTD. The DTD can be used to access sensitive files on the server, which will be disclosed through the response's error messages.
Remediation
This vulnerability has been patched in Exagrid versions 6.4.0 P20, 7.0.1 P12, and 7.2.0 P08.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.