Openbravo ERP 2.5, 3, and possibly earlier versions contain an information disclosure vulnerability (CWE-200).
CWE-200: Information Exposure
Openbravo ERP version 2.5 and version 3 contain an information disclosure vulnerability. This is due to the expanded use of XML External Entity (XXE) Processing. An attacker can send specially crafted XML requests to the XML API and have the application return the contents of files on the filesystem.
An authenticated attacker can send specially crafted XML requests to the XML API and have the application read the contents of the filesystem. This may be used to obtain unauthorized administrative access to the system.
Thanks to Tod Beardsley and Brandon Perry of Rapid7, Inc. for reporting this vulnerability.
This document was written by Adam Rauf.
|Date First Published:||2013-10-30|
|Date Last Updated:||2013-11-05 21:37 UTC|