An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file.
The XDocReport library processes .docx files (which are ZIP archives containing XML documents) without proper protection of the XML parser against external entities. An attacker can place a malicious XML External Entity (XXE) declaration in a specially crafted .docx file, which causes the server to read local files or establish network connections. As a result, arbitrary code execution (RCE) is possible on the server processing the file.
An attacker can execute arbitrary code on the vulnerable server, leading to complete breach of confidentiality, integrity, and availability of the system. It is also possible to read local server files (e.g., configuration files, password files) and further expansion in the network (lateral movement).
The opensagres XDocReport library should be updated to a version higher than 2.0.3. Patches available from the vendor should be applied according to the references. Additionally, it is recommended to restrict the ability to upload .docx files only to trusted users and configure the XML parser with external entity processing disabled (DTD/XXE disabled).
opensagres XDocReport in versions from 0.9.2 to 2.0.3 inclusive
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpensagres Xdocreport
APPOpensagres0.9.2 – 2.0.3