Vulnerability Details : CVE-2013-3617
Public exploit exists!
The XML API in Openbravo ERP 2.5, 3.0, and earlier allows remote authenticated users to read arbitrary files via an XML document with an external entity declaration in conjunction with an entity reference to /ws/dal/ADUser or other /ws/dal/XXX interfaces, related to an XML External Entity (XXE) issue.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2013-3617
- cpe:2.3:a:openbravo:openbravo_erp:*:*:*:*:*:*:*:*
- cpe:2.3:a:openbravo:openbravo_erp:2.50:*:*:*:*:*:*:*
- cpe:2.3:a:openbravo:openbravo_erp:2.40:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-3617
14.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2013-3617
-
Openbravo ERP XXE Arbitrary File Read
Disclosure Date: 2013-10-30First seen: 2020-04-26auxiliary/admin/http/openbravo_xxeThe Openbravo ERP XML API expands external entities which can be defined as local files. This allows the user to read any files from the FS as the user Openbravo is running as (generally not root). This module was tested against Openbravo ERP version 3.0MP25
CVSS scores for CVE-2013-3617
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:P/I:N/A:N |
6.8
|
2.9
|
NIST |
CWE ids for CVE-2013-3617
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-3617
-
https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats
Seven FOSS Tricks and Treats (Part Two)
-
http://www.kb.cert.org/vuls/id/533894
VU#533894 - Openbravo ERP contains an information disclosure vulnerabilityExploit;US Government Resource
-
http://www.securityfocus.com/bid/63431
Openbravo ERP CVE-2013-3617 XML External Entity Information Disclosure VulnerabilityExploit
Jump to