| Title | 泛微e-cology RequestInfoByXml XML entity injection |
|---|
| Description | The "RequestInfoByXml" API in the "泛微e-cology" system is vulnerable to XML entity injection attacks. This vulnerability is due to the API's improper handling of XML input containing external entities. Attackers can exploit this vulnerability by sending specially crafted XML requests containing entity references to retrieve sensitive information or execute arbitrary code on the system. Successful exploitation of this vulnerability can result in unauthorized access, data exfiltration, and complete system compromise. To mitigate this vulnerability, it is recommended to properly sanitize XML input, configure the XML parser to prevent external entity resolution, or use a secure XML parser that is not vulnerable to these types of attacks. |
|---|
| Source | ⚠️ https://github.com/Strangenees/e-cology/blob/main/main.md |
|---|
| User | strangerss (UID 34714) |
|---|
| Submission | 05/12/2023 04:41 (3 years ago) |
|---|
| Moderation | 05/19/2023 10:23 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 229411 [Weaver e-cology up to 9.0 API RequestInfoByXml xml external entity reference] |
|---|
| Points | 20 |
|---|