XML External Entity Injection vulnerability in Quantum DXi6702 2.3.0.3 (11449-53631 Build304) devices via rest/Users?action=authenticate.
An attacker sends a crafted HTTP request to the rest/Users?action=authenticate endpoint containing a malicious XML document with external entity references (External Entity). The vulnerable XML parser processes this entity without proper restrictions (CWE-776 — lack of protection against recursive entity references), allowing the attacker to control the parsing process. The attack requires no authentication or user interaction and is possible remotely over the network.
An attacker can gain unauthorized access to sensitive data (e.g., files from the device's local file system), and depending on the environment configuration, may compromise data integrity or cause service unavailability. The full scope of impact includes violations of system confidentiality, integrity, and availability.
Apply patches available from the manufacturer according to the references. It is recommended to restrict network access to the device's REST interface exclusively to trusted hosts using firewall or network rules until the update is deployed.
Quantum DXi6702 devices in software version 2.3.0.3 (build 11449-53631 Build304)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H