SYNC-2019-111401 - XXE Vulnerabilities In Oxygen XML Suite of Products

Severity: Medium2019-11-14 17:48:14

Abstract

The handling of XML documents in Oxygen XML Editor/Author/Developer is vulnerable to attacks based on XML External Entities (XXE). This applies only to documents that contain embedded DTDs and Entity declarations.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Editor 21.1 and older versionsMediumOxygen XML Editor 21.1 build 2019120214
Oxygen XML Editor 20.1 build 2019120217
Oxygen XML Editor 19.1 build 2019121015
Oxygen XML Developer 21.1 and older versionsMediumOxygen XML Developer 21.1 build 2019120214
Oxygen XML Developer 20.1 build 2019120217
Oxygen XML Developer 19.1 build 2019121015
Oxygen XML Author 21.1 and older versionsMediumOxygen XML Author 21.1 build 2019120214
Oxygen XML Author 20.1 build 2019120217
Oxygen XML Author 19.1 build 2019121015

Mitigation

None

Detail

SYNC-2019-111401

Severity: Medium

CVSS Score: 6.5

This is a medium-severity issue. Because the embedded XML parser does not offer enough control over the location of files it opens, this XXE vulnerability allows execution of specially crafted XML files. Thus, the attacker can read files that are accessible to the Oxygen XML process currently running. In order to be successful, the attacker should have very good knowledge of the files location in your file system to be able to access the information stored on your computer.

Revision History

2019-12-04 Initial release availability for v21.1, v20.1 and v19.1.

2019-12-11 Secondary release availability for v19.1. The initial release of v19.1 (2019120219) for this advisory did not cover all scenarios.

This issue was identified and responsibly reported by Pablo Santiago

If you have questions about the security features of an Oxygen product or require technical support, please contact us on .

If you want to download product updates, please visit our Download page.

Please only use the e-mail address for reporting security issues.