CVE-2024-13971

HIGH

Arbitrary File Read and Server Side Request Forgery via XML External Entities in Lobster_pro

Title source: cna

Description

Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.

References (1)

https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-005/

Scores

CVSS v4 7.7

EPSS 0.0002

EPSS Percentile 4.3%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/V:C

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (2)

Lobster GmbH/Lobster_pro < 4.12.6-GA

Lobster GmbH/Lobster_pro 4.12.6-GA

Published Apr 30, 2026

Tracked Since Apr 30, 2026