Vulnerability Details CVE-2018-1000889
Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in information leak, possible RCE depending on system configuration. This attack appears to be exploitable via the victim opening a specially crafted circuit file. This vulnerability appears to have been fixed in 2.14.4.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 51.7%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.8
References
Products affected by CVE-2018-1000889
-
cpe:2.3:a:logisim-evolution_project:logisim-evolution:2.13.10
-
cpe:2.3:a:logisim-evolution_project:logisim-evolution:2.13.12
-
cpe:2.3:a:logisim-evolution_project:logisim-evolution:2.13.14
-
cpe:2.3:a:logisim-evolution_project:logisim-evolution:2.13.18
-
cpe:2.3:a:logisim-evolution_project:logisim-evolution:2.13.22
-
cpe:2.3:a:logisim-evolution_project:logisim-evolution:2.13.5
-
cpe:2.3:a:logisim-evolution_project:logisim-evolution:2.13.9
-
cpe:2.3:a:logisim-evolution_project:logisim-evolution:2.14.1
-
cpe:2.3:a:logisim-evolution_project:logisim-evolution:2.14.2
-
cpe:2.3:a:logisim-evolution_project:logisim-evolution:2.14.3