CVE-2024-37397

High

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update…

hackerone·CWE-611·Published 2024-09-12

CVSS

8.2

EPSS

0.59

KEV

Exploits

cve.orgen

196 chars

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.

NVDen

196 chars

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.

Una vulnerabilidad de entidad XML externa (XXE) en el servicio web de aprovisionamiento de Ivanti EPM antes de 2022 SU6 o la actualización de septiembre de 2024 permite que un atacante remoto no autenticado filtre secretos de API.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.0	Primary	cve.org	8.2	—	—	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
3.0	Primary	cve.org	8.2	—	—	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
3.0	Secondary	NVD	8.2	3.9	4.2	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
3.1	Primary	cve.org	8.2	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
3.1	Primary	cve.org	8.2	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
3.1	Secondary	NVD	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N