cbcvebase.
CVE-2013-3617
published 2013-11-02

CVE-2013-3617: The XML API in Openbravo ERP 2.5, 3.0, and earlier allows remote authenticated users to read arbitrary files via an XML document with an external entity…

PriorityP334low3.5CVSS 2.0
AVNACMAuSCPINAN
EXPLOIT
EPSS
21.07%
97.3th percentile
The XML API in Openbravo ERP 2.5, 3.0, and earlier allows remote authenticated users to read arbitrary files via an XML document with an external entity declaration in conjunction with an entity reference to /ws/dal/ADUser or other /ws/dal/XXX interfaces, related to an XML External Entity (XXE) issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
openbravoopenbravo_erp<= 3.0
openbravoopenbravo_erp
openbravoopenbravo_erp

Detection & IOCsextracted from sources · hover to see the quote

url/ws/dal/ADUser
path/ws/dal/
command&xxe;
  • Monitor HTTP requests to the /ws/dal/ XML API endpoints (e.g., /ws/dal/ADUser) for POST bodies containing external entity declarations (DOCTYPE with SYSTEM or PUBLIC keywords), which are characteristic of XXE exploitation attempts.
  • Alert on authenticated HTTP POST requests to Openbravo ERP /ws/dal/* endpoints where the request body contains XML with <!DOCTYPE and SYSTEM file:// or similar URI schemes, indicating local file read via XXE.
  • The exploit payload uses an entity reference &xxe; within the XML body sent to the DAL API; inspect XML payloads for entity references resolving to local filesystem paths.
  • ·Exploitation requires valid (authenticated) credentials; unauthenticated access to the /ws/dal/ API is not sufficient to trigger the XXE vulnerability.
  • ·The Metasploit module was specifically tested against Openbravo ERP versions 3.0MP25 and 2.50MP6; coverage of other minor versions is not confirmed.
  • ·Files are read as the OS user running the Openbravo process, which is generally not root, limiting the scope of accessible files.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.