Submit #680872: OpenClinica OpenClinica Community Edition 3.13, Changeset 74f4df3481b6 (2017-02-28) and 3.12.2, Changeset 347dcfca3d17 (2016-11-21) XML Injectioninfo

TitleOpenClinica OpenClinica Community Edition 3.13, Changeset 74f4df3481b6 (2017-02-28) and 3.12.2, Changeset 347dcfca3d17 (2016-11-21) XML Injection
DescriptionOpenClinica is vulnerable to XXE in the "Import CRF Data" function. The XML parser processes external entities. A crafted XML can read local files (e.g. /etc/passwd) and reflect their contents back in the UI error block, confirming XXE with file disclosure and potential SSRF. A detailed write-up is available in the link provided.
Source⚠️ https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-xxe.md
User
 mikecole-mg (UID 89343)
Submission10/23/2025 04:31 (6 months ago)
Moderation11/09/2025 07:42 (17 days later)
StatusAccepted
VulDB entry331641 [OpenClinica Community Edition up to 3.12.2/3.13 CRF Data Import ImportCRFData?action=confirm xml_file xml injection]
Points18

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!