CVE-2024-6893

Journyx Unauthenticated XML External Entities Injection

Basic Information

CVE State: PUBLISHED
Reserved Date: July 18, 2024
Published Date: August 07, 2024
Last Updated: August 08, 2024
Vendor: Journyx
Product: Journyx (jtime)
Description: The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.
Tags

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC Information

Exploitation: poc
Automatable: Yes
Technical Impact: partial

Exploit Status

Exploited in the Wild: Yes (2026-04-30 00:00:00 UTC) Source

References

https://korelogic.com/Resources/Advisories/KL-001-2024-010.txt

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2026-04-30 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-6893.yaml	2025-04-25 00:00:00 UTC

Timeline

CVE ID Reserved

July 18, 2024
CVE Published to Public

August 07, 2024
Detected by Nuclei

April 25, 2025
Added to KEVIntel

April 30, 2026