Description
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
CVSS breakdown
CVSS 3.0
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low
Affected products
- Ivanti / Avalanche6.4.4 – 6.4.4
Exploits & proofs of concept
- nucleiIvanti Avalanche SmartDeviceServer - XML External Entityby DhiyaneshDK