CVE-2023-4554

Name of the Vulnerable Software and Affected Versions OpenText AppBuilder versions 21.2 through 23.2

Description The issue is related to an Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder, allowing Server Side Request Forgery and enabling an attacker to probe system files. This is due to the AppBuilder's XML processor being vulnerable to XML External Entity Processing (XXE), which allows an authenticated user to upload specially crafted XML files. These files can induce server-side request forgery and disclose files local to the server that processes them.

Recommendations For OpenText AppBuilder versions 21.2 through 23.2, update to version 23.2 or later to resolve the issue. As a temporary workaround, consider restricting the upload of XML files or disabling the XML processor until a patch is available. Restrict access to sensitive system files to minimize the risk of exploitation. Avoid using the vulnerable XML processor in the affected AppBuilder versions until the issue is resolved.