mirror of https://github.com/qwqdanchun/Goby.git
58 lines
3.6 KiB
JSON
58 lines
3.6 KiB
JSON
{
|
||
"Name": "OpenCats 9.4.2 XXE (CVE-2019-13358)",
|
||
"Description": "<p>OpenCats is a leading free & open applicant tracking system</p><p>lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.</p>",
|
||
"Product": "OpenCats",
|
||
"Homepage": "https://opencats.org",
|
||
"DisclosureDate": "2021-09-22",
|
||
"Author": "1291904552@qq.com",
|
||
"FofaQuery": "title=\"opencats - Login\"||body=\"opencats - Login\"",
|
||
"GobyQuery": "title=\"opencats - Login\"||body=\"opencats - Login\"",
|
||
"Level": "2",
|
||
"Impact": "<p>lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.</p>",
|
||
"Recommandation": "<p>The vendor has released a bug fix, please pay attention to the update in time: <a href=\"https://github.com/opencats/opencats\">https://github.com/opencats/opencats</a></p><p>1. Set access policies and whitelist access through security devices such as firewalls.</p><p>2.If not necessary, prohibit public network access to the system.</p>",
|
||
"Translation": {
|
||
"CN": {
|
||
"Name": "OpenCats 9.4.2 版本存在 XXE 漏洞",
|
||
"VulType": ["XXE漏洞"],
|
||
"Description": "<p>OpenCats是领先的免费开放申请人跟踪系统</p><p>0.9.4-3 之前的 OpenCats 中的 lib/DocumentToText.php 具有 XXE,允许远程用户读取底层操作系统上的文件。攻击者必须上传 docx 或 odt 格式的文件。</p>",
|
||
"Impact": "<p>0.9.4-3 之前的 OpenCats 中的 lib/DocumentToText.php 具有 XXE,允许远程用户读取底层操作系统上的文件。攻击者必须上传 docx 或 odt 格式的文件。</p>",
|
||
"Product": "OpenCats",
|
||
"Recommendation": "<p>⼚商已发布了漏洞修复程序,请及时关注更新: <a href=\"https://github.com/opencats/opencats\">https://github.com/opencats/opencats</a></p><p>1、通过防⽕墙等安全设备设置访问策略,设置⽩名单访问。</p><p>2、如⾮必要,禁⽌公⽹访问该系统。</p>"
|
||
},
|
||
"EN": {
|
||
"Name": "OpenCats 9.4.2 XXE CVE-2019-13358",
|
||
"VulType": ["xxe"],
|
||
"Description": "<p>OpenCats is a leading free & open applicant tracking system</p><p>lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.</p>",
|
||
"Impact": "<p>lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.</p>",
|
||
"Product": "OpenCats",
|
||
"Recommendation": "<p>The vendor has released a bug fix, please pay attention to the update in time: <a href=\"https://github.com/opencats/opencats\">https://github.com/opencats/opencats</a></p><p>1. Set access policies and whitelist access through security devices such as firewalls.</p><p>2.If not necessary, prohibit public network access to the system.</p>"
|
||
}
|
||
},
|
||
"References": [
|
||
"https://www.exploit-db.com/exploits/50316"
|
||
],
|
||
"HasExp": true,
|
||
"ExpParams": [
|
||
{
|
||
"name": "filepath",
|
||
"type": "createSelect",
|
||
"value": "php://filter/convert.base64-encode/resource=config.php"
|
||
}
|
||
],
|
||
"ExpTips": null,
|
||
"ScanSteps": null,
|
||
"ExploitSteps": null,
|
||
"Tags": [
|
||
"xxe"
|
||
],
|
||
"VulType": ["xxe"],
|
||
"CVEIDs": ["CVE-2019-13358"],
|
||
"CVSSScore": "6.0",
|
||
"AttackSurfaces": {
|
||
"Application": ["OpenCats"],
|
||
"Support": null,
|
||
"Service": null,
|
||
"System": null,
|
||
"Hardware": null
|
||
}
|
||
} |