{"id":"CVE-2018-17186","details":"An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.","aliases":["GHSA-qfjv-998w-q48f"],"modified":"2026-05-18T10:46:30.160940Z","published":"2018-11-06T20:29:00.217Z","references":[{"type":"ADVISORY","url":"https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/syncope","events":[{"introduced":"973afc777d2f8093785875c62e808d97334fb2e3"},{"last_affected":"bb22b39ca3e770858e4162521d93a59f1cb7b70a"},{"introduced":"49c2e53ba6baf1423a89b5ab9a24aa665a5780ad"},{"last_affected":"aa29d59ac7506942d72833e178ea9f7e0c81182b"}],"database_specific":{"cpe":"cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"2.0.0"},{"last_affected":"2.0.11"},{"introduced":"2.1.0"},{"last_affected":"2.1.2"}],"source":"CPE_FIELD"}}],"versions":["syncope-2.0.11","syncope-2.1.2","syncope-2.0.10","syncope-2.1.1","syncope-2.1.0","syncope-2.0.9","syncope-2.0.8","syncope-2.0.7","syncope-2.0.6","syncope-2.0.5","syncope-2.0.4","syncope-2.0.3","syncope-2.0.2","syncope-2.0.1","syncope-2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17186.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}