Vulnerability Details : CVE-2019-13358
lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2019-13358
- cpe:2.3:a:opencats:opencats:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-13358
8.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 94 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-13358
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-13358
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-13358
-
https://doddsecurity.com/312/xml-external-entity-injection-xxe-in-opencats-applicant-tracking-system/
XML External Entity Injection (XXE) in OpenCats Applicant Tracking System – Dodd SecurityExploit;Third Party Advisory
-
http://www.opencats.org/news/
News - OpenCATS Applicant Tracking SystemRelease Notes;Vendor Advisory
-
https://github.com/opencats/OpenCATS/pull/440
Address vulnerabilities by RussH · Pull Request #440 · opencats/OpenCATS · GitHubIssue Tracking;Third Party Advisory
-
http://packetstormsecurity.com/files/164253/OpenCats-0.9.4-2-XML-Injection.html
OpenCats 0.9.4-2 XML Injection ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Jump to