CVE-2018-15444

A vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by convincing a user of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files within the affected application.

A vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by convincing a user of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files within the affected application.

Una vulnerabilidad en la interfaz de usuario web en Cisco Energy Management Suite Software podría permitir que un atacante remoto autenticado obtenga acceso de lectura y escritura a la información almacenada en el sistema afectado. La vulnerabilidad se debe a una gestión incorrecta de las entradas XEE (XML External Entity) cuando se analizan determinados archivos XML. Un atacante podría explotar esta vulnerabilidad convenciendo a un usuario de un sistema afectado para que importe un archivo XML manipulado con entradas maliciosas, lo que podría permitir al atacante leer y modificar archivos en la aplicación afectada.