CVE-2023-24187 in ureportinfo

Summary

by MITRE • 02/14/2023

An XML External Entity (XXE) vulnerability in ureport v2.2.9 allows attackers to execute arbitrary code via uploading a crafted XML file to /ureport/designer/saveReportFile.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/05/2025

The vulnerability identified as CVE-2023-24187 represents a critical XML External Entity (XXE) flaw within the ureport v2.2.9 software system. This vulnerability specifically manifests in the report designer component where the application fails to properly validate and sanitize XML input during file processing. The attack vector occurs when an authenticated attacker uploads a maliciously crafted XML file to the designated endpoint /ureport/designer/saveReportFile, which then processes the XML without adequate security controls to prevent external entity resolution.

The technical exploitation of this XXE vulnerability stems from the application's improper handling of XML parsing operations that do not disable external entity processing. When the system attempts to parse the uploaded XML file, it inadvertently resolves external entities that can be controlled by an attacker, potentially leading to server-side request forgery, file disclosure, or remote code execution depending on the underlying system configuration and privileges. This flaw directly aligns with CWE-611, which categorizes improper restriction of XML external entity reference as a critical weakness in XML processing implementations.

The operational impact of this vulnerability extends beyond simple data exposure, as successful exploitation can enable attackers to gain unauthorized access to sensitive system resources. An attacker could leverage this vulnerability to read arbitrary files from the server filesystem, access internal network resources through server-side requests, or potentially execute malicious code on the target system. The implications are particularly severe in environments where ureport is deployed with elevated privileges or in multi-tenant architectures where one compromised system could affect other users.

Security mitigations for CVE-2023-24187 should prioritize immediate implementation of XML parser configuration changes that disable external entity resolution and DTD processing. Organizations must ensure that all XML input processing components are configured to reject external entity references and that proper input validation is implemented at the application level. Additionally, network segmentation and access controls should be enforced to limit the potential impact of successful exploitation. The remediation efforts should align with ATT&CK framework techniques such as T1059 for command and script interpreter and T1068 for exploit for privilege escalation, as these are common post-exploitation activities that attackers may pursue following successful XXE exploitation. Regular security updates and vulnerability assessments should be implemented to prevent similar issues in future deployments of the ureport software.

Reservation

01/23/2023

Disclosure

02/14/2023

Moderation

accepted

CPE

ready

EPSS

0.00918

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!