// For flags

CVE-2023-4554

XML External Entity (XXE) Processing

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder on Windows, Linux allows Server Side Request Forgery, Probe System Files.

AppBuilder's XML processor is vulnerable to XML External Entity Processing (XXE), allowing an authenticated user to upload specially crafted XML files to induce server-side request forgery, disclose files local to the server that processes them.


This issue affects AppBuilder: from 21.2 before 23.2.

Vulnerabilidad de restricción inadecuada de la referencia de entidad externa XML en OpenText AppBuilder en Windows, Linux permite la server-side request forgery y sondear archivos del sistema. El procesador XML de AppBuilder es vulnerable al procesamiento de entidades externas XML (XXE), lo que permite a un usuario autenticado cargar archivos XML especialmente manipulados para inducir server-side request forgery y revelar archivos locales al servidor que los procesa. Este problema afecta a AppBuilder: desde 21.2 antes de 23.2.

*Credits: George Mathias
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-08-25 CVE Reserved
  • 2024-01-29 CVE Published
  • 2024-02-06 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
  • CAPEC-639: Probe System Files
  • CAPEC-664: Server Side Request Forgery
References (0)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Opentext
Search vendor "Opentext"
 Appbuilder
Search vendor "Opentext" for product "Appbuilder"
 >= 21.2 < 23.2
Search vendor "Opentext" for product "Appbuilder" and version " >= 21.2 < 23.2"
-
Affected
in Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
--
Safe
Opentext
Search vendor "Opentext"
 Appbuilder
Search vendor "Opentext" for product "Appbuilder"
 >= 21.2 < 23.2
Search vendor "Opentext" for product "Appbuilder" and version " >= 21.2 < 23.2"
-
Affected
in Microsoft
Search vendor "Microsoft"
 Windows
Search vendor "Microsoft" for product "Windows"
--
Safe