CVE-2019-9670

CVE Published	2019-05-29
Related CWE(s)	CWE-611: Improper Restriction of XML External Entity Reference
Related Vendor(s)	synacor
Related Product(s)	zimbra_collaboration_suite
Exploitation Reported (CISA KEV)	2022-01-10
CVSS 3 Base Score	9.8 (CRITICAL)
CVSS 3 Attack Complexity	LOW
CVSS 3 Attack Vector	NETWORK

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Associated CAPEC Patterns

Data Serialization External Entities Blowup (CAPEC-221)

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

References

CVE-2019-9670

Cyber Threat Graph Context

Associated CAPEC Patterns

Data Serialization External Entities Blowup (CAPEC-221)

References

CVE.org

NIST National Vulnerability Database

CISA Known Exploited Vulnerabilities