| Titel | Feng Office >= v3.2.2.1 XXE |
|---|
| Beschreibung | Feng Office has a blind XXE vulnerability that can be exploited via document upload.
It's possible to leverage this vulnerability to exfiltrate data from local files and to achieve SSRF.
If PECL expect were installed, this could be escalated to RCE. Depending on the PHP version installed phar:// may also be used to escalate the attack. |
|---|
| Quelle | ⚠️ https://gist.github.com/mcdruid/e78694d754f44884830898be082fcbaa |
|---|
| Benutzer | mcdruid (UID 79710) |
|---|
| Einreichung | 29.05.2025 19:35 (vor 11 Monaten) |
|---|
| Moderieren | 08.06.2025 20:05 (10 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 311636 [Fengoffice Feng Office 3.2.2.1 Document Upload ApplicationDataObject.class.php XML External Entity] |
|---|
| Punkte | 18 |
|---|