cbcvebase.
CVE-2024-6893
published 2024-08-08

CVE-2024-6893: The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read…

PriorityP184high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
32.92%
98.1th percentile
The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.

Affected

1 ranges
VendorProductVersion rangeFixed in
journyxjournyx

Detection & IOCsextracted from sources · hover to see the quote

path/jtcgi/soap_cgi.pyc
filenamesoap_cgi.pyc
otherfofa-query: icon_hash="-109972155"
  • Target the POST endpoint /jtcgi/soap_cgi.pyc with a SOAP XML body containing an XXE payload referencing external entities (e.g., file:///etc/passwd). A successful exploit response will contain 'root:.*:0:0:' or 'invalid password for user' in the body, and 'text/xml' in the response Content-Type header with HTTP 200.
  • Response body match for successful XXE file read: regex 'root:.*:0:0:' (passwd file content) AND 'invalid password for user', combined with Content-Type header containing 'text/xml' and HTTP status 200.
  • The vulnerability is unauthenticated — no session or credentials are required to exploit the XXE via the SOAP API handler.
  • Journyx instances can be fingerprinted via FOFA using icon hash -109972155 to identify exposed targets.
  • ·The vulnerability affects Journyx up to and including version 11.5.4. Version 11.5.5 is the patched release.
  • ·The EPSS score is extremely high (0.91385, 99.66th percentile), indicating this CVE has a very high probability of exploitation in the wild and should be prioritized.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.