The application contains an XML external entity injection (XXE) vulnerability, which may allow an attacker to view files on the application server filesystem.ĬVE-2021-40356 has been assigned to this vulnerability. 3.2.3 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 A CVSS v3 base score of 7.2 has been calculated the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). The affected application contains an insecure direct object reference (IDOR) vulnerability, which may allow an attacker to use user-supplied input to access objects directly.ĬVE-2021-40355 has been assigned to this vulnerability. 3.2.2 A UTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639 A CVSS v3 base score of 7.1 has been calculated the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N). Any profile on the application can perform this attack and access any other user assigned tasks via the “inbox/surrogate tasks.”ĬVE-2021-40354 has been assigned to this vulnerability. The “surrogate” functionality on the user profile of the application does not perform sufficient access control, which may allow an account takeover. Teamcenter 13.2: All versions prior to 13.2.0.2 3.2 VULNERABILITY OVERVIEW 3.2.1 PRIVILEGE DEFINED WITH UNSAFE ACTIONS CWE-267 Teamcenter 13.1: All versions prior to 13.1.0.5 Teamcenter 13.0: All versions prior to 13.0.0.7 Teamcenter 12.4: All versions prior to 12.4.0.8 The following versions of Teamcenter, a virtualization platform, are affected: Successful exploitation of these vulnerabilities could allow an attacker to view sensitive files, bypass authorization, or take over another account. Vulnerability: Privilege Defined with Unsafe Actions, Authorization Bypass Through User-Controlled Key, Improper Restriction of XML External Entity Reference.ATTENTION: Exploitable remotely/low attack complexity.