HP WebInspect XXE Unauthorized Information Disclosure

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

A web security application on the remote host is affected by an
unauthorized information disclosure vulnerability.

Description :

The version of HP WebInspect installed on the remote Windows host is
affected by an unauthorized information disclosure vulnerability due
to an XML external entity injection flaw that is triggered during the
parsing of XML data. A remote attacker can exploit this, via a
malicious website scanned by HP WebInspect, to read arbitrary system
files.

See also :

http://www.nessus.org/u?94288510
https://www.exploit-db.com/exploits/37250/
http://www.securityfocus.com/archive/1/535683

Solution :

Upgrade to HP WebInspect version 10.40.282.10 (10.4 Software Update
1) or later.

Note that HP has not yet made this update generally available via
SmartUpdate, and you must contact HP Support directly for the fix.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.4
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 84194 ()

Bugtraq ID: 75036

CVE ID: CVE-2015-2125

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now