CVE-2013-3617

The XML API in Openbravo ERP 2.5, 3.0, and earlier allows remote authenticated users to read arbitrary files via an XML document with an external entity declaration in conjunction with an entity reference to /ws/dal/ADUser or other /ws/dal/XXX interfaces, related to an XML External Entity (XXE) issue.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:P/I:N/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.kb.cert.org/vuls/id/533894	Exploit US Government Resource
http://www.securityfocus.com/bid/63431	Exploit
https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openbravo:openbravo_erp::::::::
	cpe:2.3:a:openbravo:openbravo_erp:2.40:::::::*
	cpe:2.3:a:openbravo:openbravo_erp:2.50:::::::*

History

No history.

Information

Published : 2013-11-02 19:55

Updated : 2024-02-28 12:00

NVD link : CVE-2013-3617

Mitre link : CVE-2013-3617

CVE.ORG link : CVE-2013-3617

JSON object : View

Products Affected

openbravo

openbravo_erp

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2013-3617", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2013-11-02T19:55:04.523", "references": [{"url": "http://www.kb.cert.org/vuls/id/533894", "tags": ["Exploit", "US Government Resource"], "source": "cret@cert.org"}, {"url": "http://www.securityfocus.com/bid/63431", "tags": ["Exploit"], "source": "cret@cert.org"}, {"url": "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats", "source": "cret@cert.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The XML API in Openbravo ERP 2.5, 3.0, and earlier allows remote authenticated users to read arbitrary files via an XML document with an external entity declaration in conjunction with an entity reference to /ws/dal/ADUser or other /ws/dal/XXX interfaces, related to an XML External Entity (XXE) issue."}, {"lang": "es", "value": "La API XML en Openbravo ERP 2.5, 3.0 y anteriores permite a usuarios remotos autenticados leer archivos arbitrarios a trav\u00e9s de un documento XML con una declaraci\u00f3n de entidad externa en conjunci\u00f3n con una referencia de entidad en /ws/dal/ADUser u otra interfaz /ws/dal/XXX, esta relacionado con un problema XML External Entity (XXE)."}], "lastModified": "2013-11-21T18:29:55.147", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openbravo:openbravo_erp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "856429C7-7977-45DF-BA55-A319C87F22E3", "versionEndIncluding": "3.0"}, {"criteria": "cpe:2.3:a:openbravo:openbravo_erp:2.40:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36E5C029-509F-4005-B428-AC35F16F8A91"}, {"criteria": "cpe:2.3:a:openbravo:openbravo_erp:2.50:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C864621-1CB9-4753-A184-3CD65FD01CFD"}], "operator": "OR"}]}], "sourceIdentifier": "cret@cert.org"}