How severe is CVE-2021-21266?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5 out of 10.

What type of vulnerability is CVE-2021-21266?

This is classified as CWE-611, which is a common weakness in software security.

CVE-2021-21266 - MEDIUM Severity | CVSS 5

Vulnerability Description

openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB before versions 2.5.12 and 3.0.1 the XML external entity (XXE) attack allows attackers in the same network as the openHAB instance to retrieve internal information like the content of files from the file system. Responses to SSDP requests can be especially malicious. All add-ons that use SAX or JAXB parsing of externally received XML are potentially subject to this kind of attack. In openHAB, the following add-ons are potentially impacted: AvmFritz, BoseSoundtouch, DenonMarantz, DLinkSmarthome, Enigma2, FmiWeather, FSInternetRadio, Gce, Homematic, HPPrinter, IHC, Insteon, Onkyo, Roku, SamsungTV, Sonos, Roku, Tellstick, TR064, UPnPControl, Vitotronic, Wemo, YamahaReceiver and XPath Tranformation. The vulnerabilities have been fixed in versions 2.5.12 and 3.0.1 by a more strict configuration of the used XML parser.

Related Vulnerabilities

CVE-2017-10617

MEDIUM

CVSS:5.0(Medium)

The ifmap service that comes bundled with Contrail has an XML External Entity (XXE) vulnerability that may allow an attacker to retrieve sensitive system files. Affected releases are Juniper Networks ...

CWE-6112017

CVE-2017-7457

MEDIUM

CVSS:5.0(Medium)

XML External Entity via ".AOP" files used by Moxa MX-AOPC Server 1.5 result in remote file disclosure.

CWE-6112017

CVE-2023-4218

MEDIUM

CVSS:5.0(Medium)

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with...

CWE-6112023

CVE-2024-45745

MEDIUM

CVSS:5.0(Medium)

TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Fixed in 8.0.1 (bug fix: TBS-6...

CWE-6112024

CVE-2025-2070

MEDIUM

CVSS:5.0(Medium)

An improper XML parsing vulnerability was reported in the FileZ client that could allow arbitrary file reads on the system if a crafted url is visited by a local user.

CWE-6112025

CVE-2016-9491

MEDIUM

CVSS:4.9(Medium)

ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem an...

CWE-6112016