Improper Restriction of XML External Entity Reference (CVE-2020-6590)
- Article Number: 000019488
- Products: Forcepoint Web Security
- Version: 8.5
- Last Published Date: April 08, 2021
Published Date: April 8, 2021
Last Update: n/a
KBA Status: Published
KBA Severity: High
Forcepoint Web Security Content Gateway versions prior to 8.5.4 improperly process XML input, leading to information disclosure. Forcepoint would like to thank researchers Sagi Cohen and Almog Cygel, as well as Frederic Quenneville, Pentester at Videotron, for discovering this issue and participating in a coordinated vulnerability disclosure.
This description is from https://cwe.mitre.org/data/definitions/611.html:
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Customers should upgrade to Forcepoint Web Security version 8.5.4.