CVE-2023-47160

High

Published: 19 February 2025

Published

19 February 2025

Modified

25 July 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

EPSS Score 0.0006 17.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-47160 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Ibm Cognos Controller. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the XXE vulnerability in IBM Cognos Controller by requiring identification, reporting, patching, and verification of the specific XML processing flaw.

SI-10 Information Input Validation good match

prevent

Prevents XXE exploitation by validating XML inputs to detect and reject external entities or malicious XML constructs before processing.

CM-6 Configuration Settings good match

prevent

Mitigates XXE by enforcing secure configuration settings on XML parsers to disable external entity resolution and DTD processing.

NVD Description

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Deeper analysisAI

IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 are vulnerable to an XML External Entity Injection (XXE) attack, corresponding to CWE-611, when processing XML data. This vulnerability, identified as CVE-2023-47160, carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L), highlighting its high severity primarily due to the potential for sensitive information disclosure alongside limited availability impact.

A remote attacker can exploit this vulnerability without authentication, privileges, or user interaction, requiring only network access and low attack complexity. Exploitation enables the attacker to disclose sensitive information from the server or consume excessive memory resources, potentially leading to denial-of-service conditions.

IBM has issued a security advisory providing details on this vulnerability, available at https://www.ibm.com/support/pages/node/7183597.

Details

CWE(s): CWE-611

Affected Products

ibm

cognos controller

11.0.0 — 11.0.1.4

ibm

controller

11.1.0

CVEs Like This One

CVE-2024-45084Same product: Ibm Cognos Controller

CVE-2024-28777Same product: Ibm Cognos Controller

CVE-2024-40702Same product: Ibm Cognos Controller

CVE-2024-52902Same product: Ibm Cognos Controller

CVE-2024-49781Same product: Microsoft Windows

CVE-2024-54171Same product: Microsoft Windows

CVE-2025-36247Same vendor: Ibm

CVE-2026-1567Same vendor: Ibm

CVE-2025-12531Same vendor: Ibm

CVE-2024-49352Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7183597
Vendor Advisory · psirt@us.ibm.com