JVNDB-2023-000104

Improper restriction of XML external entity references (XXE) in Proself

Proself provided by North Grid Corporation improperly restricts XML external entity references (XXE) (CWE-611).
The developer states that attacks exploiting this vulnerability have been observed.

North Grid Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and North Grid Corporation coordinated under the Information Security Early Warning Partnership.

North Grid Corporation

• Proself Enterprise Edition Ver5.62 and earlier
• Proself Gateway Edition Ver1.65 and earlier
• Proself Mail Sanitize Edition Ver1.08 and earlier
• Proself Standard Edition Ver5.62 and earlier

By processing a specially crafted request containing malformed XML data, arbitrary files on the server, such as account information, may be read by an attacker.

[Update the software]
Update the software to the latest version according to the information provided by the developer.

[Apply the workaround]
Until the software is updated, the developer recommends to apply the workaround to mitigate the impact of this vulnerability.

[Stop using the products]
According to the developer, the following products are no longer supported. Stop using the vulnerable products and consider switching to alternatives.

• Proself Enterprise/Standard Edition Ver.4 and earlier

North Grid Corporation

• North Grid Corporation : [Urgent] Attacks exploiting a zero-day vulnerability (CVE-2023-45727) of Proself (updated) (in Japanese)

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2023-45727

1. JVN : JVN#95981460
2. IPA SECURITY ALERTS : Security Alert for Vulnerability in Proself (JVN#95981460) (in Japanese)
3. JPCERT REPORT : JPCERT-AT-2023-0022 (in Japanese)

• [2023/10/18]
    Web page was published