CVE-2013-3617

Openbravo ERP <= 3.0 - Authenticated XML External Entity Injection via /ws/dal/XXX Interfaces

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-3617. PoCs published by Tod Beardsley, including Metasploit module auxiliary/admin/http/openbravo_xxe.

AI-analyzed exploit summary This XML payload demonstrates an XXE (XML External Entity) vulnerability in Openbravo ERP, allowing an attacker to read arbitrary files (e.g., /etc/passwd) by exploiting improper XML entity processing. The PoC includes a malicious DTD declaration that references an external file, which is then embedded in the XML structure.

Description

The XML API in Openbravo ERP 2.5, 3.0, and earlier allows remote authenticated users to read arbitrary files via an XML document with an external entity declaration in conjunction with an entity reference to /ws/dal/ADUser or other /ws/dal/XXX interfaces, related to an XML External Entity (XXE) issue.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Tod Beardsley · xmlremotemultiple
https://www.exploit-db.com/exploits/38818

This XML payload demonstrates an XXE (XML External Entity) vulnerability in Openbravo ERP, allowing an attacker to read arbitrary files (e.g., /etc/passwd) by exploiting improper XML entity processing. The PoC includes a malicious DTD declaration that references an external file, which is then embedded in the XML structure.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Openbravo ERP 2.5 and 3.0
No auth needed
Prerequisites: Network access to the vulnerable Openbravo ERP instance · Ability to send crafted XML requests to the application
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/openbravo_xxe.rb

This Metasploit module exploits an XXE vulnerability in Openbravo ERP to read arbitrary files from the server. It authenticates, crafts a malicious XML payload with an external entity reference, and retrieves the file contents via the API response.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Openbravo ERP versions 3.0MP25 and 2.50MP6
Auth required
Prerequisites: Valid Openbravo credentials · Access to the XML API endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/533894
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/63431

Scores

EPSS 0.5674
EPSS Percentile 98.2%

Details

CWE
CWE-264
Status published
Products (3)
openbravo/openbravo_erp 2.40
openbravo/openbravo_erp 2.50
openbravo/openbravo_erp < 3.0
Published Nov 02, 2013
Tracked Since Feb 18, 2026