CVE-2013-3617

Name of the Vulnerable Software and Affected Versions Openbravo ERP versions 2.5, 3.0, and earlier

Description The issue allows remote authenticated users to read arbitrary files via an XML document with an external entity declaration in conjunction with an entity reference to "/ws/dal/ADUser" or other "/ws/dal/XXX" interfaces, related to an XML External Entity (XXE) issue.

Recommendations For Openbravo ERP versions 2.5, 3.0, and earlier, consider restricting access to the XML API until a fix is available. As a temporary workaround, consider disabling the XML API or limiting its functionality to minimize the risk of exploitation. Avoid using the /ws/dal/ADUser and other /ws/dal/XXX interfaces in the XML API until the issue is resolved.