CVE-2023-20855

CVE Database · CVE-2023-20855

CVE-2023-20855

· HIGHModified

CVSS v3.1

8.8

EPSS

1.26%

Published

Feb 21, 2023

Modified

Mar 17, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-611CWE-611

Affected Products (2)

vmware · vrealize_automation (up to 8.11.1)vulnerable

vmware · vrealize_orchestrator (up to 8.11.1)vulnerable

References (2)

https://www.vmware.com/security/advisories/VMSA-2023-0005.html

PatchVendor Advisory

https://www.vmware.com/security/advisories/VMSA-2023-0005.html

PatchVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs