CVE-2024-6893
published 2024-08-08CVE-2024-6893: The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read…
PriorityP184high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
32.92%
98.1th percentile
The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| journyx | journyx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target the POST endpoint /jtcgi/soap_cgi.pyc with a SOAP XML body containing an XXE payload referencing external entities (e.g., file:///etc/passwd). A successful exploit response will contain 'root:.*:0:0:' or 'invalid password for user' in the body, and 'text/xml' in the response Content-Type header with HTTP 200. ↗
- →Response body match for successful XXE file read: regex 'root:.*:0:0:' (passwd file content) AND 'invalid password for user', combined with Content-Type header containing 'text/xml' and HTTP status 200. ↗
- →The vulnerability is unauthenticated — no session or credentials are required to exploit the XXE via the SOAP API handler. ↗
- →Journyx instances can be fingerprinted via FOFA using icon hash -109972155 to identify exposed targets. ↗
- ·The vulnerability affects Journyx up to and including version 11.5.4. Version 11.5.5 is the patched release. ↗
- ·The EPSS score is extremely high (0.91385, 99.66th percentile), indicating this CVE has a very high probability of exploitation in the wild and should be prioritized. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9hxq-vv35-9r5r: The "soap_cgi
ghsa_unreviewed·2024-08-08
CVE-2024-6893 [HIGH] CWE-611 GHSA-9hxq-vv35-9r5r: The "soap_cgi
The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.
VulnCheck
journyx journyx Improper Restriction of XML External Entity Reference
vulncheck·2024·CVSS 7.5
CVE-2024-6893 [HIGH] journyx journyx Improper Restriction of XML External Entity Reference
journyx journyx Improper Restriction of XML External Entity Reference
The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.
Affected: journyx journyx
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-04&host_type=src&vulnerability=cve-2024-6893; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-08&host_type=src&vulnerability=cve-2024-6893; https
No detection rules found.
Nuclei
Journyx - XML External Entities Injection (XXE)
nuclei·CVSS 7.5
CVE-2024-6893 [HIGH] Journyx - XML External Entities Injection (XXE)
Journyx - XML External Entities Injection (XXE)
The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.
Template:
id: CVE-2024-6893
info:
name: Journyx - XML External Entities Injection (XXE)
author: s4e-io
severity: high
description: |
The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.
impact: |
Unauthenticated attackers can exploit XXE to read local files, perform SSRF attacks, and cause denial of
No writeups or analysis indexed.
2024-08-08
Published
Exploited in the wild