CVE-2015-7326 – This XML External Entity (XXE) vulnerability in... (How to Fix)

Q: What is the severity of CVE-2015-7326?

CVE-2015-7326 has a CVSS score of 9.8 (CRITICAL). This XML External Entity (XXE) vulnerability in Milton Webdav allows attackers to read arbitrary files from the server filesystem, potentially leading to sensitive data exposure. It affects all systems running Milton Webdav versions before 2.7.0.3 that process XML input.

📋 TL;DR

This XML External Entity (XXE) vulnerability in Milton Webdav allows attackers to read arbitrary files from the server filesystem, potentially leading to sensitive data exposure. It affects all systems running Milton Webdav versions before 2.7.0.3 that process XML input.

💻 Affected Systems

Products:

Milton Webdav

Versions: All versions before 2.7.0.3

Operating Systems: All operating systems running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using Milton Webdav to process XML requests is vulnerable. The vulnerability exists in the XML parsing functionality.

📦 What is this software?

Webdav by Milton

View all CVEs affecting Webdav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through file disclosure, potentially including configuration files, credentials, and sensitive application data, which could lead to further attacks.

🟠

Likely Case

Unauthorized reading of server files including configuration files, source code, and potentially sensitive data stored on the filesystem.

🟢

If Mitigated

Limited impact with proper XML parsing configuration that disables external entity processing.

🌐 Internet-Facing: HIGH - WebDAV servers are typically internet-facing and process XML input, making them prime targets for XXE attacks.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to access sensitive files, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood with readily available exploit techniques. The vulnerability allows reading arbitrary files via crafted XML requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.0.3

Vendor Advisory: https://github.com/miltonio/milton2/commit/5f81b0c48a817d4337d8b0e99ea0b4744ecd720b

Restart Required: Yes

Instructions:

1. Update Milton Webdav to version 2.7.0.3 or later. 2. Update dependencies in your project configuration. 3. Restart the application server. 4. Verify the fix by checking the version and testing XXE protection.

🔧 Temporary Workarounds

Disable XXE in XML parser

all

Configure XML parser to disable external entity processing

Set XML parser properties: FEATURE_SECURE_PROCESSING = true, DISALLOW_DOCTYPE_DECL = true

Input validation and filtering

all

Filter or reject XML input containing DOCTYPE declarations or external entity references

Implement input validation to block XML with DOCTYPE or SYSTEM entities

🧯 If You Can't Patch

Implement network segmentation to restrict access to vulnerable systems
Deploy web application firewall (WAF) with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check if Milton Webdav version is below 2.7.0.3 and test with XXE payloads to read server files.

Check Version:

Check application dependencies or pom.xml for Milton Webdav version

Verify Fix Applied:

Test with XXE payloads after patching to confirm file reading is no longer possible.

📡 Detection & Monitoring

Log Indicators:

XML parsing errors, unusual file access patterns, requests containing DOCTYPE or SYSTEM entities

Network Indicators:

HTTP requests with XML payloads containing external entity references, unusual outbound connections from server

SIEM Query:

source="web_server" AND (http_request CONTAINS "<!DOCTYPE" OR http_request CONTAINS "SYSTEM")

📊 Metadata

CVE ID: CVE-2015-7326

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: June 7, 2017

Last Updated: April 20, 2025

🔗 References

http://packetstormsecurity.com/files/134178/Milton-Webdav-2.7.0.1-XXE-Injection.html Exploit,Third Party Advisory,VDB Entry
http://www.securityfocus.com/archive/1/536813/100/0/threaded
http://www.securityfocus.com/bid/77392 Third Party Advisory,VDB Entry
https://github.com/miltonio/milton2/commit/5f81b0c48a817d4337d8b0e99ea0b4744ecd720b Patch,Third Party Advisory
https://github.com/miltonio/milton2/commit/b41072b Patch,Third Party Advisory
https://github.com/miltonio/milton2/commit/b5851c1 Patch,Third Party Advisory
http://packetstormsecurity.com/files/134178/Milton-Webdav-2.7.0.1-XXE-Injection.html Exploit,Third Party Advisory,VDB Entry
http://www.securityfocus.com/archive/1/536813/100/0/threaded
http://www.securityfocus.com/bid/77392 Third Party Advisory,VDB Entry
https://github.com/miltonio/milton2/commit/5f81b0c48a817d4337d8b0e99ea0b4744ecd720b Patch,Third Party Advisory
https://github.com/miltonio/milton2/commit/b41072b Patch,Third Party Advisory
https://github.com/miltonio/milton2/commit/b5851c1 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-7326, you might also want to check these: