Bird_banner_small4
Microsoft Windows System Information Console XXE Injection Information Disclosure
TSL ID TSL20170711-11
CVE ID(s) CVE-2017-8557
Severity Moderate
Description

An XML external entity (XXE) injection vulnerability has been reported in the System Information Console component of Microsoft Windows. The vulnerability is due to a failure to properly handle external entity references in XML files.

A remote attacker could exploit this vulnerability by enticing a target user into opening a crafted XML file with System Information Console. Successful exploitation results in the disclosure of file contents from the target system.

The vendor, Microsoft, has released the following advisory regarding this vulnerability:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8557

Affected Products
  • Microsoft Windows 10
  • Microsoft Windows 7
  • Microsoft Windows 8.1
  • Microsoft Windows RT 8.1
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016
CVSS Score Base 7.1 (AV:N/AC:M/Au:N/C:C/I:N/A:N):
  • Access vector is NETWORK
  • Access complexity is MEDIUM
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is COMPLETE
  • Impact of this vulnerability on data integrity is NONE
  • Impact of this vulnerability on data availability is NONE
Temporal 5.3 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
References https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8557
Related Threats