CVE-2013-3617

Openbravo Erp < 3.0 - Access Control

Title source: rule

Description

The XML API in Openbravo ERP 2.5, 3.0, and earlier allows remote authenticated users to read arbitrary files via an XML document with an external entity declaration in conjunction with an entity reference to /ws/dal/ADUser or other /ws/dal/XXX interfaces, related to an XML External Entity (XXE) issue.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Tod Beardsley · xmlremotemultiple

https://www.exploit-db.com/exploits/38818

View Code ZIP pw:eip

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/openbravo_xxe.rb

View Code ZIP pw:eip

References (3)

[Exploit, US Government Resource] http://www.kb.cert.org/vuls/id/533894

[Exploit] http://www.securityfocus.com/bid/63431

[Third Party Advisory] https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats

Scores

EPSS 0.5674

EPSS Percentile 98.1%

Details

CWE

CWE-264

Status published

Products (3)

openbravo/openbravo_erp 2.40

openbravo/openbravo_erp 2.50

openbravo/openbravo_erp < 3.0

Published Nov 02, 2013

Tracked Since Feb 18, 2026