CVE-2011-3600
The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- September 21, 2011
- Published Date
- November 26, 2019
- Last Updated
- August 06, 2024
- Vendor
- OFBiz
- Product
- OFBiz
- Description
- The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.
- Tags
- Exploited in the Wild
- Yes (2025-07-05 00:00:00 UTC) Source
nuclei_scanner
CVSS Scores
CVSS v3.1
7.5 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v2.0
5.0
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Exploit Status
References
https://security-tracker.debian.org/tracker/CVE-2011-3600
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3600
https://access.redhat.com/security/cve/cve-2011-3600
https://lists.apache.org/thread.html/7793319ae80ec350f7b82a8763460944f120ebe447f14a12155d0550%40%3Ccommits.ofbiz.apache.org%3E
http://mail-archives.apache.org/mod_mbox/ofbiz-user/201810.mbox/%3Cfad45546-af86-0293-9ea7-014553474b30%40apache.org%3E
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-07-05 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2011/CVE-2011-3600.yaml | 2026-06-01 15:34:24 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Detected by Nuclei