CVE-2023-47160
Published: 19 February 2025
Description
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Security Summary
IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 are vulnerable to an XML External Entity Injection (XXE) attack, corresponding to CWE-611, when processing XML data. This vulnerability, identified as CVE-2023-47160, carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L), highlighting its high severity primarily due to the potential for sensitive information disclosure alongside limited availability impact.
A remote attacker can exploit this vulnerability without authentication, privileges, or user interaction, requiring only network access and low attack complexity. Exploitation enables the attacker to disclose sensitive information from the server or consume excessive memory resources, potentially leading to denial-of-service conditions.
IBM has issued a security advisory providing details on this vulnerability, available at https://www.ibm.com/support/pages/node/7183597.
Details
- CWE(s)