Johan Hôgre

**Name of the Vulnerable Software and Affected Versions** OFBiz versions 16.11.01 through 16.11.04 **Description** The issue affects the /webtools/control/xmlrpc endpoint in the OFBiz XML-RPC event handler, making it vulnerable to External Entity Injection. This is achieved by passing DOCTYPE declarations with executable payloads, which can disclose the contents of files in the filesystem. Additionally, it can be used to probe for open network ports and determine whether a file exists or not based on returned error messages. **Recommendations** For OFBiz versions 16.11.01 through 16.11.04, consider disabling access to the /webtools/control/xmlrpc endpoint until a patch is available. As a temporary workaround, restrict the use of the XML-RPC event handler to minimize the risk of exploitation. Avoid using the endpoint for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.