Bestfeng OA Git Free XML External Entity Injection Vulnerability

A vulnerability allowing XML external entity (XXE) injection has been identified in Bestfeng OA Git Free versions through 9.5. This issue arises in the 'updateWriteBack' function of the 'WorkflowPredefineController.java' file. The vulnerability allows external entities to be loaded when XML is processed, potentially leading to the inclusion of malicious files. Such exploitation could facilitate unauthorized file access, command execution, internal network scanning, and attacks on internal websites. The vulnerability requires authentication and can be exploited remotely.

Impact

Exploitation of this vulnerability could allow an attacker to inject malicious XML that is processed by the application, leading to unauthorized access to files, execution of commands, scanning of internal ports, and attacks on internal web applications.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the '/basic-api/oa/admin/flow/updateWriteBack' endpoint. The request must include an 'Authorization' header with a valid JWT token. The 'writeProp' parameter should be crafted to include a malicious XML entity that references an external resource. Once the request is processed, the external entity can be accessed, demonstrating the XXE vulnerability.