CVE-2021-37425

CRITICAL

Altova Mobiletogether Server < 7.3 - XXE

Title source: rule

Description

Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.

Exploits (1)

exploitdb WORKING POC

by RedTeam Pentesting GmbH · textwebappsmultiple

https://www.exploit-db.com/exploits/50191

View Code ZIP pw:eip

References (4)

[Third Party Advisory] https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses

[Exploit, Third Party Advisory] https://www.redteam-pentesting.de/advisories/rt-sa-2021-002

[Vendor Advisory] https://www.altova.com/mobiletogether

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2021/Aug/12

Scores

CVSS v3 9.1

EPSS 0.0868

EPSS Percentile 92.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Details

CWE

CWE-611

Status published

Products (2)

altova/mobiletogether_server 7.3

altova/mobiletogether_server 7.0 - 7.3

Published Aug 10, 2021

Tracked Since Feb 18, 2026