CVE-2023-7307
BaseFortify
Publication date: 2025-08-27
Last updated on: 2025-08-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sangfor | behavior_management_system | * |
| sangfor | iam | 12.0.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an XML external entity (XXE) injection in the Sangfor Behavior Management System's /src/sangforindex endpoint. It allows a remote unauthenticated attacker to send specially crafted XML data containing external entity definitions. Due to improper XML parser configuration, the system processes these external entities without restriction, which can lead to disclosure of internal files, server-side request forgery (SSRF), or other impacts depending on how the XML parser behaves.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of internal files, which may expose sensitive information. It can also enable server-side request forgery (SSRF), allowing attackers to make unauthorized requests from the server, potentially accessing internal systems or services. These impacts can compromise system confidentiality and integrity.