CVE-2018-14473
Description
OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OCS Inventory 2.4.1 allows XXE attacks due to improper XML parsing, leading to information exfiltration or denial of service.
Vulnerability
OCS Inventory version 2.4.1 is vulnerable to XML External Entity (XXE) injection due to improper configuration of the XML parser. The parser does not disable external entities, allowing an attacker to inject malicious XML content. This affects the endpoints that process XML data received from agents or other sources.
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request containing an XML payload with an external entity reference. No authentication is required. The attacker must be able to reach the OCS Inventory server's XML processing interface. The request triggers the parser to resolve the external entity, which can be a local file or a network resource.
Impact
Successful exploitation enables an attacker to exfiltrate sensitive files from the server (e.g., configuration files with credentials) or cause a denial of service by exhausting server resources through recursive entity expansion. The impact may also include server-side request forgery if the external entity references internal network resources [1].
Mitigation
Upgrade to a patched version of OCS Inventory where the XML parser is configured securely (e.g., disabling external entities). The vendor released a fix after this vulnerability was reported [1]. If upgrading is not immediately possible, consider applying input validation and restricting XML parsing options. No workaround is documented for this specific issue.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 2.2, 2.2.1, 2.2RC1, …
- Range: = 2.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1- www.tarlogic.com/en/blog/vulnerabilities-in-ocs-inventory-2-4-1/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.