9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-20627

GHSA ID

GHSA-75p2-hgw4-g7f7

EPSS Score

0.62562%

CWE

CWE-611

Published

5/24/2022

Updated

9/26/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-20627

CVE-2019-20627: AutoUpdater.NET allows XXE

AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-20627

GHSA ID

GHSA-75p2-hgw4-g7f7

EPSS Score

0.62562%

CWE

CWE-611

Published

5/24/2022

Updated

9/26/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Autoupdater.NET.Official	nuget	< 1.5.8	1.5.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parsing in the auto-update mechanism. The commit 1dc25f2 shows the fix explicitly sets XmlResolver=null when creating the XmlDocument in BackgroundWorkerDoWork. Prior to this patch, the XmlDocument default resolver was active, enabling XXE. The affected code path processes untrusted XML from update servers, making this the clear vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*utoUp**t*r.*s in *utoUp**t*r.N*T ***or* *.*.* *llows XX*.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* in t** *uto-up**t* m****nism. T** *ommit ******* s*ows t** *ix *xpli*itly s*ts `XmlR*solv*r=null` w**n *r**tin* t** `Xml*o*um*nt` in `***k*roun*Work*r*oWork`. Prior to t*is p*t**, t** `Xml*o*um*nt` **

9.8

Basic Information

Concerned about an active attack path?

CVE-2019-20627: AutoUpdater.NET allows XXE

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI