QwikSec

Security Database

CVE

CWE

Training

CVE-2019-14277

Published: Jul 26, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the REST API. This vulnerability can lead to local file disclosure, DoS, or URI invocation attacks (i.e., SSRF with resultant remote code execution). NOTE: The vendor disputes this issues as not being a vulnerability because “All attacks that use external entities are blocked (no external DTD or file inclusions, no SSRF). The impact on confidentiality, integrity and availability is not proved on any version.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.exploit-db.com/exploits/47150

x_refsource_MISC

https://gist.githubusercontent.com/zeropwn/59f17727dfaba239b0ace6f33b752974/raw/9b6541a94ac5ec181a88e6c84cb3e3001025b8fd/Axway%2520SecureTransport%25205.x%2520Unauthenticated%2520XXE

x_refsource_MISC

https://zero.lol/2019-07-21-axway-securetransport-xml-injection/

x_refsource_MISC

https://community.axway.com/s/article/SecureTransport-Security-Notice-re-CVE-2019-14277-Unauthenticated-XML-Injection-and-XXE

x_refsource_CONFIRM

https://community.axway.com/s/article/SecureTransport-Security-Notice

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.