Skip to content

Instantly share code, notes, and snippets.

@spookhorror

spookhorror/gist:9519fc66d3946e887e4a86c06ddbee0e

Last active November 5, 2023 13:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save spookhorror/9519fc66d3946e887e4a86c06ddbee0e to your computer and use it in GitHub Desktop.
Save spookhorror/9519fc66d3946e887e4a86c06ddbee0e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
Hello everyone,
I have discovered an XXE issue in openCRX v5.2.2, and it has been assigned CVE-2023-46502.
Description:
In openCRX v5.2.2, an insecure DocumentBuilderFactory is utilized for parsing user requests, which enables attackers to read internal files and execute server side request forgery attack.
Impact:
SSRF and local file inclusion.
This issue has been resolved in the latest version, openCRX v5.3.0.
Commit Link: https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399
Latest Version: https://github.com/opencrx/opencrx/releases/tag/opencrx-v5.3.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment