Vulnerability Note VU#533894
Openbravo ERP contains an information disclosure vulnerability
Openbravo ERP 2.5, 3, and possibly earlier versions contain an information disclosure vulnerability (CWE-200).
CWE-200: Information Exposure
Openbravo ERP version 2.5 and version 3 contain an information disclosure vulnerability. This is due to the expanded use of XML External Entity (XXE) Processing. An attacker can send specially crafted XML requests to the XML API and have the application return the contents of files on the filesystem.
An authenticated attacker can send specially crafted XML requests to the XML API and have the application read the contents of the filesystem. This may be used to obtain unauthorized administrative access to the system.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Openbravo||Affected||03 Sep 2013||11 Sep 2013|
CVSS Metrics (Learn More)
Thanks to Tod Beardsley and Brandon Perry of Rapid7, Inc. for reporting this vulnerability.
This document was written by Adam Rauf.
- CVE IDs: CVE-2013-3617
- Date Public: 30 Oct 2013
- Date First Published: 30 Oct 2013
- Date Last Updated: 05 Nov 2013
- Document Revision: 38
If you have feedback, comments, or additional information about this vulnerability, please send us email.