| 제목 | Zhilink (Shenzhen) Technology Co., Ltd. ADP Application Developer Platform V1.0.0 XML External Entity Injection (CWE-611) |
|---|
| 설명 | A critical XML External Entity (XXE) injection vulnerability exists in the /adpweb/a/base/barcodeDetail/import endpoint. The application fails to properly sanitize or validate the uploaded Excel files during the barcode detail import process. An authenticated remote attacker can upload a specially crafted Excel file containing malicious XML entities, which are subsequently parsed by the XML parser without disabling external entity resolution. Successful exploitation allows the attacker to read arbitrary files on the server (e.g., /etc/passwd), perform Server-Side Request Forgery (SSRF) attacks to scan internal network ports, and potentially achieve remote code execution, leading to a full system compromise. |
|---|
| 원천 | ⚠️ https://ucn9h68n9289.feishu.cn/docx/LeLOdhV6mo3clzxstxXcpFzbnjg?from=from_copylink |
|---|
| 사용자 | bigbrother_man (UID 96003) |
|---|
| 제출 | 2026. 05. 22. AM 10:14 (1 월 ago) |
|---|
| 모더레이션 | 2026. 06. 20. AM 11:58 (29 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 372530 [zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 XML Parser import XML External Entity] |
|---|
| 포인트들 | 20 |
|---|