Home

Description

KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system files. Attackers can craft a malicious XML file with external entity references to retrieve sensitive configuration data like database credentials through an out-of-band channel attack.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner VulnCheck




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Restriction of XML External Entity Reference

Product status

3.4.0906
affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5459.php exploit

www.exploit-db.com/exploits/44430 (ExploitDB-44430) exploit

global.kyocera.com (Kyocera Official Website) product

www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5459.php (Zero Science Lab Disclosure (ZSL-2018-5459)) third-party-advisory

cve.org (CVE-2019-25253)

nvd.nist.gov (CVE-2019-25253)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.