XML External Entity (XXE) Vulnerability in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1, and 6.5 Allows Disclosure of Server File Contents

XML External Entity (XXE) Vulnerability in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1, and 6.5 Allows Disclosure of Server File Contents

CVE-2018-8819 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.

Learn more about our Web App Pen Testing.