Yimioa XML External Entity Injection Vulnerability Allowing Arbitrary Code Execution
Vulnerability
A vulnerability allowing XML external entity (XXE) injection has been identified in Yimioa versions prior to 2024.07.04. This vulnerability resides in the component '/weixin/aes/XMLParse.java' and allows attackers to execute arbitrary code by supplying a crafted XML file. The issue arises because the XML parser does not properly restrict external entity processing, enabling the injection of malicious entities that can be used to read files or perform other unauthorized actions.
Impact
Exploitation of this vulnerability could lead to unauthorized execution of arbitrary code on the server where Yimioa is running.
Reproduction
The vulnerability can be reproduced by sending a POST request to the '/oa/servlet/WXCallBack' endpoint with a crafted XML payload that includes an external entity reference. The 'postData' parameter must be controlled to inject the XXE payload. After ensuring that the 'encodingAesKey' variable length is set correctly, the injected entity can be used to read files from the server.
Remediation
Users are advised to update to Yimioa version 2024.07.04 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.