CVE-2021-37425
published 2021-08-10CVE-2021-37425: Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading…
PriorityP272critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EXPLOIT
EPSS
66.28%
99.2th percentile
Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| altova | mobiletogether_server | — | — |
| altova | mobiletogether_server | >= 7.0 < 7.3 | 7.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /workflowmanagement containing XML external entity declarations (DOCTYPE with ENTITY keywords) embedded within the JSON field InfosetChanges/Changes. ↗
- →Alert on HTTP requests to /workflowmanagement where the JSON body contains the string 'InfosetChanges' and XML DOCTYPE/ENTITY declarations, indicating an XXE attempt. ↗
- →Detect attempts to read the fixed-path configuration file mobiletogetherserver.cfg via XXE, which may expose certificate and private key paths. ↗
- →Detect XML exponential entity expansion (billion laughs) payloads in requests to /workflowmanagement, which can cause denial of service via huge server-side resource allocation. ↗
- →Flag use of default credentials (root:root, Base64: cm9vdDpyb290) in Authorization headers targeting MobileTogether Server endpoints. ↗
- →Identify outbound SSRF requests originating from the MobileTogether Server process, triggered by external XML entity references pointing to internal or external URLs. ↗
- ·File disclosure via XXE is limited to non-binary files and requires the absolute path to be known in advance. ↗
- ·Affected versions span 7.0–7.3 and potentially earlier; the fixed version is 7.3 SP1. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mwxw-r5fq-rx8v: Altova MobileTogether Server before 7
ghsa_unreviewed·2022-05-24
CVE-2021-37425 [CRITICAL] CWE-611 GHSA-mwxw-r5fq-rx8v: Altova MobileTogether Server before 7
Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.
GHSA
GHSA-8x79-xcgh-ghvm: Altova MobileTogether Server before 7
ghsa_unreviewed·2022-05-24·CVSS 9.1
CVE-2021-38490 [CRITICAL] CWE-776 GHSA-8x79-xcgh-ghvm: Altova MobileTogether Server before 7
Altova MobileTogether Server before 7.3 SP1 allows XML exponential entity expansion, a different vulnerability than CVE-2021-37425.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2021/Aug/12https://www.altova.com/mobiletogetherhttps://www.redteam-pentesting.de/advisories/rt-sa-2021-002https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyseshttp://seclists.org/fulldisclosure/2021/Aug/12https://www.altova.com/mobiletogetherhttps://www.redteam-pentesting.de/advisories/rt-sa-2021-002https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses
2021-08-10
Published