CVE-2018-15805
📋 TL;DR
This XXE vulnerability in Accusoft PrizmDoc HTML5 Document Viewer allows attackers to read arbitrary files from the server or cause denial of service through resource exhaustion. It affects organizations using PrizmDoc for document viewing in web applications. The high CVSS score reflects the potential for significant data exposure.
💻 Affected Systems
- Accusoft PrizmDoc HTML5 Document Viewer
📦 What is this software?
Prizmdoc by Accusoft
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise with exfiltration of sensitive files (passwords, configuration files, database credentials) leading to data breach and potential lateral movement.
Likely Case
Unauthorized file reading of server-side files, potentially exposing configuration data, source code, or other sensitive information stored on the server.
If Mitigated
Limited impact with proper input validation and XML parser configuration preventing external entity processing.
🎯 Exploit Status
Public proof-of-concept demonstrates out-of-band XXE exploitation via HTTP requests to external servers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.5 and later
Vendor Advisory: https://help.accusoft.com/PrizmDoc/v13.5/HTML/webframe.html#Release_v13_5.html
Restart Required: Yes
Instructions:
1. Download PrizmDoc version 13.5 or later from Accusoft. 2. Backup current installation. 3. Install the updated version following vendor documentation. 4. Restart the PrizmDoc service and any dependent applications.
🔧 Temporary Workarounds
Disable XML External Entity Processing
allConfigure XML parsers to disable external entity resolution
Set XML parser properties: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true
Input Validation Filter
allImplement strict input validation to reject XML containing DOCTYPE declarations
Implement regex filter: /<!DOCTYPE/i
🧯 If You Can't Patch
- Implement network segmentation to isolate PrizmDoc instances from sensitive systems
- Deploy WAF rules to block XML payloads containing DOCTYPE declarations and external entity references
🔍 How to Verify
Check if Vulnerable:
Check PrizmDoc version via admin interface or configuration files. If version is below 13.5, system is vulnerable.Check Version:
Check PrizmDoc configuration files or admin dashboard for version informationVerify Fix Applied:
Confirm version is 13.5 or higher and test with safe XXE payload that should be rejected.📡 Detection & Monitoring
Log Indicators:
- XML parsing errors
- Unusual file access patterns
- Outbound HTTP requests to unusual domains from PrizmDoc process
Network Indicators:
- HTTP requests containing XML with DOCTYPE declarations to PrizmDoc endpoints
- DNS requests for unusual domains from server hosting PrizmDoc
SIEM Query:
source="prizmdoc" AND (message="DOCTYPE" OR message="ENTITY" OR message="SYSTEM")🔗 References
- https://help.accusoft.com/PrizmDoc/v13.5/HTML/webframe.html#Release_v13_5.html
- https://medium.com/%40mrnikhilsri/oob-xxe-in-prizmdoc-cve-2018-15805-dfb1e474345c
- https://help.accusoft.com/PrizmDoc/v13.5/HTML/webframe.html#Release_v13_5.html
- https://medium.com/%40mrnikhilsri/oob-xxe-in-prizmdoc-cve-2018-15805-dfb1e474345c
