VDB

CVE-2011-3600

CVE-2011-3600 PUBLISHED CVSS 5 MEDIUM

The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.

EPSS 71.76% · 98.8th percentile

Risk Scores

CVSS 2.0
5
EPSS Score
71.76%
98.8th percentile

Affected Products

VendorProductVersions
apacheofbiz16.11.01
OFBizOFBiz16.11.01 to 16.11.04

Timeline

  • Nov 26, 2019 CVE Published
  • Feb 4, 2022 EPSS Score
  • May 20, 2022 EPSS Score
  • Jul 12, 2022 EPSS Score
  • Oct 26, 2022 EPSS Score
  • Feb 9, 2023 EPSS Score
  • Mar 7, 2023 EPSS Score
  • May 25, 2023 EPSS Score
  • Sep 7, 2023 EPSS Score
  • Oct 30, 2023 EPSS Score
  • Feb 12, 2024 EPSS Score
  • May 27, 2024 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›