CVE-2011-3600
The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- September 21, 2011
- Published Date
- November 26, 2019
- Last Updated
- August 06, 2024
- Vendor
- OFBiz
- Product
- OFBiz
- Description
- The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.
CVSS Scores
CVSS v3.1
7.5 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v2.0
5.0
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS Score
- Score
- 12.89% (Percentile: 93.65%) as of 2025-06-06
Exploit Status
- Exploited in the Wild
- Yes (2025-05-09 00:00:00 UTC) Source
References
https://security-tracker.debian.org/tracker/CVE-2011-3600
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3600
https://access.redhat.com/security/cve/cve-2011-3600
https://lists.apache.org/thread.html/7793319ae80ec350f7b82a8763460944f120ebe447f14a12155d0550%40%3Ccommits.ofbiz.apache.org%3E
http://mail-archives.apache.org/mod_mbox/ofbiz-user/201810.mbox/%3Cfad45546-af86-0293-9ea7-014553474b30%40apache.org%3E
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-05-09 00:00:00 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel