Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2011-3600 — XML External Entity (XXE) Injection in Apache Ofbiz
Severity
7.5HIGHNVD
EPSS
65.6%
top 1.50%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedNov 26
Latest updateApr 22
Description
The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages2 packages
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-88hg-2f8p-pv3w: The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with exec↗2022-04-22
OSV▶
CVE-2011-3600: The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with exec↗2019-11-26
CVEList▶
CVE-2011-3600: The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with exec↗2019-11-26
💥Exploits & PoCs
1Nuclei▶
Apache OFBiz - XML External Entity Injection