yWorks yEd Desktop before 3.20.1 allows code execution via an XSL Transformation when using an XML file in conjunction with a custom stylesheet.
References
Link | Resource |
---|---|
https://www.yworks.com/products/yed/download | Release Notes Vendor Advisory |
https://zigrin.com/advisories/yworks-yed-graph-editor-xslt-remote-code-execution-in-xml/ | |
https://www.yworks.com/products/yed/download | Release Notes Vendor Advisory |
https://zigrin.com/advisories/yworks-yed-graph-editor-xslt-remote-code-execution-in-xml/ |
Configurations
History
21 Nov 2024, 05:17
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.yworks.com/products/yed/download - Release Notes, Vendor Advisory | |
References | () https://zigrin.com/advisories/yworks-yed-graph-editor-xslt-remote-code-execution-in-xml/ - |
28 Sep 2023, 14:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2020-09-17 19:15
Updated : 2024-11-21 05:17
NVD link : CVE-2020-25216
Mitre link : CVE-2020-25216
CVE.ORG link : CVE-2020-25216
JSON object : View
Products Affected
yworks
- yed
CWE
CWE-91
XML Injection (aka Blind XPath Injection)