How severe is CVE-2024-28198?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2024-28198?

This is classified as CWE-611, which is a common weakness in software security.

CVE-2024-28198 - HIGH Severity | CVSS 7.5

Vulnerability Description

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using the draw.io integration it is possible to read arbitrary files as the configured system user and SSRF. The problem is fixed in version 18.1.6 and 18.2.2. It is advised to upgrade to the latest version of 18.1.x or 18.2.x. Users unable to upgrade may work around this issue by disabling the Draw.io module or the entire REST API which will secure the system.

Related Vulnerabilities

CVE-2005-1306

HIGH

CVSS:7.5(High)

The Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 allows remote attackers to determine the existence of files via Javascript containing XML script, aka the "XML External Entity vulner...

CWE-6112005

CVE-2009-1699

HIGH

CVSS:7.5(High)

The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, whic...

CWE-6112009

CVE-2011-3600

HIGH

CVSS:7.5(High)

The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of fil...

CWE-6112011

CVE-2012-1102

HIGH

CVSS:7.5(High)

It was discovered that the XML::Atom Perl module before version 0.39 did not disable external entities when parsing XML from potentially untrusted sources. This may allow attackers to gain read access...

CWE-6112012

CVE-2012-2656

HIGH

CVSS:7.5(High)

An XML eXternal Entity (XXE) issue exists in Restlet 1.1.10 in an endpoint using XML transport, which lets a remote attacker obtain sensitive information.

CWE-6112012

CVE-2012-4399

HIGH

CVSS:7.5(High)

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) ...

CWE-6112012