Apache.OFBiz.XXE.Vulnerability.in.HttpEngine
Description
The OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext.
The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.
Affected Products
In Apache OFBiz 16.11.01 to 16.11.04
Impact
Information Disclosure: Remote attackers can gain sensitive information from vulnerable systems.
Recommended Actions
Apply the most recent upgrade or patch from the vendor.
Version Updates
Date | Version | Detail |
---|---|---|
2023-04-28 | 0.00347 |