CVE-2025-0617

Jan. 29, 2025, 11:15 a.m.

5.9
Medium

Description

An attacker with access to an HX 10.0.0 and previous versions, may send specially-crafted data to the HX console. The malicious detection would then trigger file parsing containing exponential entity expansions in the consumer process thus causing a Denial of Service.

Product(s) Impacted

Product Versions
HX console
  • ['10.0.0', 'previous versions']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-776
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

References

https://thrive.trellix.com/s/article/000014214

Tags

trellixpsirt@trellix.com
CWE-776
2025-01-29
CVE-2025-0617

CVSS Score

5.9 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Jan. 29, 2025, 11:15 a.m.
Last Modified: Jan. 29, 2025, 11:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

trellixpsirt@trellix.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.