CVE-2021-30137
Published: 15 September 2021
Summary
CVE-2021-30137 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Axiossystems Assyst. Its CVSS base score is 7.7 (High).
Operationally, ranked at the 44.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-17074
Vulnerability details
Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. The application allows users to send JSON or XML data to the server. It was possible to inject malicious XML data through several access points.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.