CVE-2017-15685

Vulnerability

Analysis

CVE-2017-15685 is an XML External Entity (XXE) vulnerability in Crafter CMS Crafter Studio version 3.0.1 [1]. The root cause is that the application processes XML input without disabling external entity resolution, allowing attackers to inject malicious XML declarations that define external entities referencing local or remote resources.

Exploitation

An unauthenticated attacker can exploit this vulnerability by creating a site (or manipulating site creation data) with specially crafted XML payload [1]. No authentication is required, and the attack can be carried out over the network. The crafted XML is parsed by Crafter Studio's XML processing component, which then attempts to resolve external entities defined by the attacker.

Impact

Successful exploitation allows the attacker to read arbitrary operating system files from the server out-of-band [1]. This can lead to disclosure of sensitive information such as configuration files containing passwords, application source code, or other confidential data. The out-of-band data exfiltration technique means the attacker can receive the stolen data via an external server they control.

Mitigation

Crafter CMS has likely addressed this issue in subsequent versions, but as of the publication date (2020-11-27), users of Crafter Studio 3.0.1 were advised to upgrade to a patched version or apply secure XML parsing configurations [1]. Organizations should verify they are no longer running this affected version and, if so, update immediately to prevent exploitation.