Slovensko.Digital Autogram XML External Entity Vulnerability Allowing Server-Side Request Forgery

A vulnerability allowing improper restriction of XML external entity references has been identified in Slovensko.Digital Autogram version 2.7.1. This issue allows remote, unauthenticated attackers to conduct server-side request forgery (SSRF) attacks and gain unauthorized access to local files on the victim's filesystem. The vulnerability arises because the application, which includes a local HTTP server for electronic signing, fails to adequately sanitize XML input. Exploitation requires the victim to visit a specially crafted website that sends an XML document to the application's local HTTP server.

Impact

Exploitation of this vulnerability could lead to successful SSRF attacks, allowing attackers to access local files on the victim's machine.

Reproduction

To reproduce this vulnerability, a victim must be using Slovensko.Digital Autogram version 2.7.1. The attacker must craft a website that, when visited by the victim, sends a request containing a specially crafted XML document to the '/sign' endpoint of the local HTTP server that Autogram runs. The XML document must be designed to exploit the XXE vulnerability by referencing external entities or DTDs that, when processed, could exfiltrate local files to the attacker's server.

Remediation

Users are advised to upgrade to Slovensko.Digital Autogram version 2.7.2, which addresses this vulnerability by properly restricting XML external entity references. The latest version can be downloaded from the official Autogram GitHub releases page.