CVE-2023-46502
Published: 30 October 2023
Summary
CVE-2023-46502 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Opencrx Opencrx. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 37.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2792
Vulnerability details
An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.
Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.