Exadel Flamingo Multiple Remote Code Execution and XML External Entity Injection Vulnerabilities

Exadel Flamingo is prone to multiple remote code execution vulnerabilities and an XML External Entity injection vulnerability.

Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application, to gain access to sensitive information or cause denial-of-service conditions.

Exadel Flamingo 2.2.0 is vulnerable; other versions may also be affected.

Information

Bugtraq ID: 97380
Class: Input Validation Error
CVE: CVE-2017-3201
CVE-2017-3202
CVE-2017-3206

Remote: Yes
Local: No
Published: Apr 04 2017 12:00AM
Credit: Markus Wulftange
Vulnerable: Exadel Flamingo 2.2

Not Vulnerable:

References:

• Exadel Flamingo Homepage (Exadel)
  
• AMF â?? Another Malicious Format (AMF)
  
• VU#307983: AMF3 Java implementations are vulnerable to insecure deserialization (CERT)
  

Source: www.securityfocus.com