lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.
References
Link | Resource |
---|---|
http://www.opencats.org/news/ | Release Notes Vendor Advisory |
https://github.com/opencats/OpenCATS/pull/440 | Issue Tracking Third Party Advisory |
https://doddsecurity.com/312/xml-external-entity-injection-xxe-in-opencats-applicant-tracking-system/ | Exploit Third Party Advisory |
http://packetstormsecurity.com/files/164253/OpenCats-0.9.4-2-XML-Injection.html | Exploit Third Party Advisory VDB Entry |
Configurations
Information
Published : 2019-07-05 14:15
Updated : 2021-12-14 13:50
NVD link : CVE-2019-13358
Mitre link : CVE-2019-13358
JSON object : View
CWE
CWE-611
Improper Restriction of XML External Entity Reference
Products Affected
opencats
- opencats