VDB
CVE-2011-3600
CVE-2011-3600
PUBLISHED
CVSS 5 MEDIUM
The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.
EPSS 71.76% · 98.8th percentile
Risk Scores
CVSS 2.0
5
EPSS Score
71.76%
98.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| apache | ofbiz | 16.11.01 |
| OFBiz | OFBiz | 16.11.01 to 16.11.04 |
Timeline
- Nov 26, 2019 CVE Published
- Feb 4, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- May 25, 2023 EPSS Score
- Sep 7, 2023 EPSS Score
- Oct 30, 2023 EPSS Score
- Feb 12, 2024 EPSS Score
- May 27, 2024 EPSS Score
References
- https://security-tracker.debian.org/tracker/CVE-2011-3600 url
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3600 url
- https://access.redhat.com/security/cve/cve-2011-3600 url
- https://lists.apache.org/thread.html/7793319ae80ec350f7b82a8763460944f120ebe447f14a12155d0550%40%3Ccommits.ofbiz.apache.org%3E url
- http://mail-archives.apache.org/mod_mbox/ofbiz-user/201810.mbox/%3Cfad45546-af86-0293-9ea7-014553474b30%40apache.org%3E url
- https://nvd.nist.gov/vuln/detail/CVE-2011-3600 advisory
- https://lists.apache.org/thread.html/7793319ae80ec350f7b82a8763460944f120ebe447f14a12155d0550@<commits.ofbiz.apache.org> url
- http://mail-archives.apache.org/mod_mbox/ofbiz-user/201810.mbox/%3Cfad45546-af86-0293-9ea7-014553474b30@apache.org%3E url