logo_clicknbuy.png

CVE-2023-7307 – Sangfor Behavior Management System XXE Injection Vulnerability

The following table lists the changes that have been made to the
CVE-2023-7307 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by [email protected]

    Aug. 27, 2025

    Action Type Old Value New Value
    Added Description Sangfor Behavior Management System (also referred to as DC Management System in Chinese-language documentation) contains an XML external entity (XXE) injection vulnerability in the /src/sangforindex endpoint. A remote unauthenticated attacker can submit crafted XML data containing external entity definitions, leading to potential disclosure of internal files, server-side request forgery (SSRF), or other impacts depending on parser behavior. The vulnerability is due to improper configuration of the XML parser, which allows resolution of external entities without restriction. This product is now integrated into their IAM (Internet Access Management) platform and an affected version range is undefined.
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-611
    Added Reference https://support.sangfor.com.cn/productDocument/read?product_id=22&version_id=329&category_id=261800
    Added Reference https://www.cnblogs.com/pursue-security/p/17666126.html
    Added Reference https://www.sangfor.com/blog/cybersecurity/launching-sangfor-iam-12-0-23-manage-risky-shadow-it-right-way
    Added Reference https://www.vulncheck.com/advisories/sangfor-behavior-management-system-xml-external-entity-injection
Share the Post:

Related Posts