CVE-2018-6489

Vulnerability

Micro Focus Project and Portfolio Management Center version 9.32 contains an XML External Entity (XXE) vulnerability. The application fails to properly restrict XML external entity references when parsing XML input, allowing an attacker to inject malicious XML content. This issue is documented in Micro Focus security bulletin KM03014426 [1].

Exploitation

An unauthenticated attacker with network access can send a crafted XML payload to the vulnerable endpoint. The XML parser will process external entities, enabling the attacker to read local files, conduct server-side request forgery (SSRF), or potentially cause a denial of service. No prior authentication is required.

Impact

Successful exploitation leads to information disclosure of sensitive files (e.g., configuration files), internal network scanning via SSRF, or application disruption. The attacker does not gain direct code execution but can extract data from the server's filesystem.

Mitigation

Micro Focus has released a security fix as part of a patch; refer to the bulletin KM03014426 for specific patch details [1]. Users should apply the latest fixes for Project and Portfolio Management Center 9.32. No workarounds are provided.