First published: Wed Sep 19 2018(Updated: )
The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to a XML external entity (XXE) exploit, which is a type of issue where XML input containing a reference to an external entity is processed by a weakly configured XML parser. The attack uses file URI schemes or relative paths in the system identifier to access files that should not normally be accessible.
Credit: secure@symantec.com
Affected Software | Affected Version | How to fix |
---|---|---|
Symantec Messaging Gateway | <10.6.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-12243 is a vulnerability found in the Symantec Messaging Gateway product prior to version 10.6.6 that may be susceptible to an XML external entity (XXE) exploit.
An XML external entity (XXE) exploit is a type of vulnerability where XML input containing a reference to an external entity is processed by a weakly configured XML parser.
An attacker can exploit CVE-2018-12243 by providing XML input containing a malicious reference to an external entity, which the weakly configured XML parser processes and executes.
CVE-2018-12243 has a severity rating of 8.8 (high).
To fix CVE-2018-12243, upgrade to Symantec Messaging Gateway version 10.6.6 or higher.