Cyber Resilience

CVE-2023-47160

High

Published: 19 February 2025

Published
19 February 2025
Modified
25 July 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
EPSS Score 0.0006 17.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-47160 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Ibm Cognos Controller. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 are vulnerable to an XML External Entity Injection (XXE) attack, corresponding to CWE-611, when processing XML data. This vulnerability, identified as CVE-2023-47160, carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L), highlighting its high severity primarily due to the potential for sensitive information disclosure alongside limited availability impact.

A remote attacker can exploit this vulnerability without authentication, privileges, or user interaction, requiring only network access and low attack complexity. Exploitation enables the attacker to disclose sensitive information from the server or consume excessive memory resources, potentially leading to denial-of-service conditions.

IBM has issued a security advisory providing details on this vulnerability, available at https://www.ibm.com/support/pages/node/7183597.

EU & UK References

Vulnerability details

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

XXE directly enables remote exploitation of a public-facing application (T1190) for local file/sensitive data disclosure (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-40702Same product: Ibm Cognos Controller
CVE-2024-28777Same product: Ibm Cognos Controller
CVE-2024-45084Same product: Ibm Cognos Controller
CVE-2024-52902Same product: Ibm Cognos Controller
CVE-2024-54171Same product: Microsoft Windows
CVE-2024-49781Same product: Microsoft Windows
CVE-2026-1567Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2025-12531Same vendor: Ibm
CVE-2024-52363Same product: Microsoft Windows

Affected Assets

ibm
cognos controller
11.0.0 — 11.0.1.4
ibm
controller
11.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the XXE vulnerability in IBM Cognos Controller by requiring identification, reporting, patching, and verification of the specific XML processing flaw.

prevent

Prevents XXE exploitation by validating XML inputs to detect and reject external entities or malicious XML constructs before processing.

prevent

Mitigates XXE by enforcing secure configuration settings on XML parsers to disable external entity resolution and DTD processing.

References