qwqdanchun
/
Goby
mirror of https://github.com/qwqdanchun/Goby.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Goby/json/OpenCats-9.4.2-XXE-(CVE-201...

58 lines
3.6 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Name": "OpenCats 9.4.2 XXE (CVE-2019-13358)",
"Description": "<p>OpenCats is a leading free & open applicant tracking system</p><p>lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.</p>",
"Product": "OpenCats",
"Homepage": "https://opencats.org",
"DisclosureDate": "2021-09-22",
"Author": "1291904552@qq.com",
"FofaQuery": "title=\"opencats - Login\"||body=\"opencats - Login\"",
"GobyQuery": "title=\"opencats - Login\"||body=\"opencats - Login\"",
"Level": "2",
"Impact": "<p>lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.</p>",
"Recommandation": "<p>The vendor has released a bug fix, please pay attention to the update in time: <a href=\"https://github.com/opencats/opencats\">https://github.com/opencats/opencats</a></p><p>1. Set access policies and whitelist access through security devices such as firewalls.</p><p>2.If not necessary, prohibit public network access to the system.</p>",
"Translation": {
"CN": {
"Name": "OpenCats 9.4.2 版本存在 XXE 漏洞",
"VulType": ["XXE漏洞"],
"Description": "<p>OpenCats是领先的免费开放申请人跟踪系统</p><p>0.9.4-3 之前的 OpenCats 中的 lib/DocumentToText.php 具有 XXE允许远程用户读取底层操作系统上的文件。攻击者必须上传 docx 或 odt 格式的文件。</p>",
"Impact": "<p>0.9.4-3 之前的 OpenCats 中的 lib/DocumentToText.php 具有 XXE允许远程用户读取底层操作系统上的文件。攻击者必须上传 docx 或 odt 格式的文件。</p>",
"Product": "OpenCats",
"Recommendation": "<p>⼚商已发布了漏洞修复程序,请及时关注更新: <a href=\"https://github.com/opencats/opencats\">https://github.com/opencats/opencats</a></p><p>1、通过防⽕墙等安全设备设置访问策略设置⽩名单访问。</p><p>2、如⾮必要禁⽌公⽹访问该系统。</p>"
},
"EN": {
"Name": "OpenCats 9.4.2 XXE CVE-2019-13358",
"VulType": ["xxe"],
"Description": "<p>OpenCats is a leading free & open applicant tracking system</p><p>lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.</p>",
"Impact": "<p>lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.</p>",
"Product": "OpenCats",
"Recommendation": "<p>The vendor has released a bug fix, please pay attention to the update in time: <a href=\"https://github.com/opencats/opencats\">https://github.com/opencats/opencats</a></p><p>1. Set access policies and whitelist access through security devices such as firewalls.</p><p>2.If not necessary, prohibit public network access to the system.</p>"
}
},
"References": [
"https://www.exploit-db.com/exploits/50316"
],
"HasExp": true,
"ExpParams": [
{
"name": "filepath",
"type": "createSelect",
"value": "php://filter/convert.base64-encode/resource=config.php"
}
],
"ExpTips": null,
"ScanSteps": null,
"ExploitSteps": null,
"Tags": [
"xxe"
],
"VulType": ["xxe"],
"CVEIDs": ["CVE-2019-13358"],
"CVSSScore": "6.0",
"AttackSurfaces": {
"Application": ["OpenCats"],
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}
Reference in New Issue View Git Blame Copy Permalink