CVE-2023-3276

Summary

A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The exploit has been disclosed to the public and may be used. VDB-231626 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
DromaraHuTool5.8.0affected
DromaraHuTool5.8.1affected
DromaraHuTool5.8.2affected
DromaraHuTool5.8.3affected
DromaraHuTool5.8.4affected
DromaraHuTool5.8.5affected
DromaraHuTool5.8.6affected
DromaraHuTool5.8.7affected
DromaraHuTool5.8.8affected
DromaraHuTool5.8.9affected
DromaraHuTool5.8.10affected
DromaraHuTool5.8.11affected
DromaraHuTool5.8.12affected
DromaraHuTool5.8.13affected
DromaraHuTool5.8.14affected
DromaraHuTool5.8.15affected
DromaraHuTool5.8.16affected
DromaraHuTool5.8.17affected
DromaraHuTool5.8.18affected
DromaraHuTool5.8.19affected

Weaknesses

  • CWE-611: CWE-611 XML External Entity Reference

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References