cbcvebase.
CVE-2021-37425
published 2021-08-10

CVE-2021-37425: Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading…

PriorityP272critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EXPLOIT
EPSS
66.28%
99.2th percentile
Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.

Affected

2 ranges
VendorProductVersion rangeFixed in
altovamobiletogether_server
altovamobiletogether_server>= 7.0 < 7.37.3

Detection & IOCsextracted from sources · hover to see the quote

url/workflowmanagement
pathC:\ProgramData\Altova\MobileTogetherServer\mobiletogetherserver.cfg
path/public/EuroFXrates
port8085
otherServer: CherryPy/18.1.0
  • Monitor POST requests to /workflowmanagement containing XML external entity declarations (DOCTYPE with ENTITY keywords) embedded within the JSON field InfosetChanges/Changes.
  • Alert on HTTP requests to /workflowmanagement where the JSON body contains the string 'InfosetChanges' and XML DOCTYPE/ENTITY declarations, indicating an XXE attempt.
  • Detect attempts to read the fixed-path configuration file mobiletogetherserver.cfg via XXE, which may expose certificate and private key paths.
  • Detect XML exponential entity expansion (billion laughs) payloads in requests to /workflowmanagement, which can cause denial of service via huge server-side resource allocation.
  • Flag use of default credentials (root:root, Base64: cm9vdDpyb290) in Authorization headers targeting MobileTogether Server endpoints.
  • Identify outbound SSRF requests originating from the MobileTogether Server process, triggered by external XML entity references pointing to internal or external URLs.
  • ·File disclosure via XXE is limited to non-binary files and requires the absolute path to be known in advance.
  • ·Affected versions span 7.0–7.3 and potentially earlier; the fixed version is 7.3 SP1.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.