CVE-2013-3617

2022-10-0316:14:44

CWE-264

[email protected]

web.nvd.nist.gov

cve

openbravo erp

xml api

remote users

arbitrary files

xxe

nvd

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

6.5 Medium

AI Score

Confidence

Low

0.299 Low

EPSS

Percentile

97.0%

JSON

The XML API in Openbravo ERP 2.5, 3.0, and earlier allows remote authenticated users to read arbitrary files via an XML document with an external entity declaration in conjunction with an entity reference to /ws/dal/ADUser or other /ws/dal/XXX interfaces, related to an XML External Entity (XXE) issue.

Affected configurations

NVD

Node

openbravoopenbravo_erpRange≤3.0

openbravoopenbravo_erpMatch2.40

openbravoopenbravo_erpMatch2.50

CPENameOperatorVersion
openbravo:openbravo_erpopenbravo openbravo erple3.0
openbravo:openbravo_erpopenbravo openbravo erpeq2.40
openbravo:openbravo_erpopenbravo openbravo erpeq2.50

CPE	Name	Operator	Version
openbravo:openbravo_erp	openbravo openbravo erp	le	3.0
openbravo:openbravo_erp	openbravo openbravo erp	eq	2.40
openbravo:openbravo_erp	openbravo openbravo erp	eq	2.50