CVE-2016-15011 — dssp vulnerable to Improper Restriction of XML External Entity Reference

Description

A vulnerability classified as problematic was found in e-Contract dssp up to 1.3.1. Affected by this vulnerability is the function `checkSignResponse` of the file `dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java`. The manipulation leads to xml external entity reference. Upgrading to version 1.3.2 can address this issue. The name of the patch is ec4238349691ec66dd30b416ec6eaab02d722302. It is recommended to upgrade the affected component. The identifier VDB-217549 was assigned to this vulnerability.

How to fix CVE-2016-15011

To remediate CVE-2016-15011, upgrade the affected package to a fixed version below.

—upgrade to 1.3.2 or later

Is CVE-2016-15011 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-15011
PATCHgithub.com/e-Contract/dssp
WEBgithub.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302
WEBgithub.com/e-Contract/dssp/releases/tag/dssp-1.3.2
WEB