OpenCC JFlow Workflow Engine XXE Vulnerability in Imp_Done Method
Vulnerability
A XML External Entity (XXE) injection vulnerability has been identified in the OpenCC JFlow workflow engine, specifically in versions prior to 20260129. The issue resides in the Imp_Done method of the WF_Admin_AttrFlow.java file. This vulnerability allows remote attackers to manipulate XML files uploaded through a multipart form-data request, potentially leading to the disclosure of local files, server-side request forgery, or denial-of-service conditions.
Impact
Exploitation of this vulnerability allows for XML External Entity injection, which can be used to read arbitrary files on the server, conduct server-side request forgery attacks, or cause denial-of-service conditions by exploiting the XML parser.
Reproduction
To reproduce this vulnerability, upload a crafted XML file containing external entity declarations via the 'file' field of a multipart form-data request. The Imp_Done method will parse the uploaded XML, leading to the XXE vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.