High severity7.5NVD Advisory· Published Jan 3, 2016· Updated May 6, 2026

CVE-2015-5038

Description

IBM Connections 3.x before 3.0.1.1 CR3, 4.0 before CR4, 4.5 before CR5, and 5.0 before CR3 does not properly detect recursion during XML entity expansion, which allows remote attackers to cause a denial of service (CPU consumption and application crash) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

Affected products

IBM/Connections4 versions
cpe:2.3:a:ibm:connections:*:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:ibm:connections:*:*:*:*:*:*:*:*range: <=3.0.1.1
- cpe:2.3:a:ibm:connections:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:connections:4.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:connections:5.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www-01.ibm.com/support/docview.wssnvdVendor Advisory
www-01.ibm.com/support/docview.wssnvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000