| Title | Feng Office >= v3.2.2.1 XXE |
|---|
| Description | Feng Office has a blind XXE vulnerability that can be exploited via document upload.
It's possible to leverage this vulnerability to exfiltrate data from local files and to achieve SSRF.
If PECL expect were installed, this could be escalated to RCE. Depending on the PHP version installed phar:// may also be used to escalate the attack. |
|---|
| Source | ⚠️ https://gist.github.com/mcdruid/e78694d754f44884830898be082fcbaa |
|---|
| User | mcdruid (UID 79710) |
|---|
| Submission | 05/29/2025 19:35 (11 months ago) |
|---|
| Moderation | 06/08/2025 20:05 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 311636 [Fengoffice Feng Office 3.2.2.1 Document Upload ApplicationDataObject.class.php xml external entity reference] |
|---|
| Points | 18 |
|---|