CVE-2023-28150

Abstract Advisory Information

The API is prone to XXE injection.

Author: Dominique Righetto

Version affected

Name: JDOF

Versions: 1.1.100

Common Vulnerability Scoring System

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/A:N

Patches

1.1.110

References

• https://www.independentsoft.de/jodf/index.html

Vulnerability Disclosure Timeline

• 03/01/2023: Vulnerability discovery
• 03/01/2023: Vulnerability Report to CERT-XLM
• 06/01/2023: First contact to Vendor through email #4902
• 20/01/2023: Vulnerability Report to Vendor through investigation #4902
• 03/02/2023: Vulnerability Report to Vendor through investigation #4902
• 10/02/2023: Vulnerability Report to Vendor through WebForm
• 10/02/2023: Vulnerability Report to Vendor through investigation #5142
• 03/03/2023: Vulnerability Report to Vendor through investigation #5142
• 03/03/2023: Acknowledge from vendor. Vulnerability fixed in 1.1.110
• 10/03/2023: Request CVE ID to Mitre
• 13/03/2023: CVE number assigned: CVE-2023-28150
• 17/03/2023: Public disclosure by Excellium Services