Lucene search

Veracode Vulnerability DatabaseVERACODE:44144

HistoryNov 06, 2023 - 5:48 a.m.

XML External Entity Injection

2023-11-0605:48:48

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

xml external entity

opencrx

input sanitization

documentbuilderfactory

server side request forgery

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

0.001

Percentile

51.0%

JSON

OpenCRX is vulnerable to XML External Entity injection (XXE). The vulnerability is due to improper input sanitization in the DocumentBuilderFactory function . This can potentially lead to server side request forgery attacks.

References

gist.github.com/spookhorror/9519fc66d3946e887e4a86c06ddbee0e

github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

0.001

Percentile

51.0%

JSON

Related for VERACODE:44144