CRITICAL🇵🇱 Wersja polska

CVE-2019-19144

CVSS 9.8v3.1pub. 2025-08-01upd. 2026-04-15

XML External Entity Injection vulnerability in Quantum DXi6702 2.3.0.3 (11449-53631 Build304) devices via rest/Users?action=authenticate.

🤖 AI Analysis
How it works

An attacker sends a crafted HTTP request to the rest/Users?action=authenticate endpoint containing a malicious XML document with external entity references (External Entity). The vulnerable XML parser processes this entity without proper restrictions (CWE-776 — lack of protection against recursive entity references), allowing the attacker to control the parsing process. The attack requires no authentication or user interaction and is possible remotely over the network.

Impact

An attacker can gain unauthorized access to sensitive data (e.g., files from the device's local file system), and depending on the environment configuration, may compromise data integrity or cause service unavailability. The full scope of impact includes violations of system confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the manufacturer according to the references. It is recommended to restrict network access to the device's REST interface exclusively to trusted hosts using firewall or network rules until the update is deployed.

Who is affected

Quantum DXi6702 devices in software version 2.3.0.3 (build 11449-53631 Build304)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XXE
CWE
References