CVE-2022-34832

Vulnerability

VERMEG AgileReporter version 21.3 contains an XML External Entity (XXE) vulnerability in the Analysis component, specifically in the 'Config Package Binding' → 'Manage Execution Groups' option where XML files are imported. The XML parser does not disable external entity processing, allowing an attacker to inject malicious XML content [1].

Exploitation

Only an authenticated admin user can exploit this vulnerability. The attacker uploads a crafted XML file (e.g., an XML bomb for denial of service or a modified Execution Group export containing entity declarations) via the import functionality. The request is sent to /agilereporter/core/page/admin/config/configPackageBinding.xhtml?dswid=-3091 [1].

Impact

Successful exploitation can lead to denial of service (the web application becomes unavailable for hours due to an XML bomb), or local file inclusion and directory listing (allowing access to system files, user data, and mounted drives). The XML parser processes the entity, returning file contents in the response [1].

Mitigation

No official patch or mitigation has been disclosed by VERMEG as of the publication date. Restricting admin account access and disabling unnecessary XML parsing features may reduce risk, but no fix is currently available [1].