CVE-2014-4769

medium

Description

IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.8 allows remote authenticated users to read arbitrary files or send TCP requests to intranet servers via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/94836

http://www.securityfocus.com/bid/70872

http://www-01.ibm.com/support/docview.wss?uid=swg21685464

http://www-01.ibm.com/support/docview.wss?uid=swg1JR50553

http://www-01.ibm.com/support/docview.wss?uid=swg1JR49897

Details

Source: Mitre, NVD

Published: 2014-11-05

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00271