Weaver E-cology API /rest/ofs/*ByXml XML External Entity Reference

Advisories

Weaver E-cology API /rest/ofs/*ByXml XML External Entity Reference

severity: high
date: 1/27/2026
Affecting: E-cology 9.x < 10.58.2
E-cology 8.x < 10.58.2
CVE: CVE-2023-2806
CWE: CWE-611 XML External Entity Reference
CVSS: 8.8
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
References: Weaver Patch Download Webpage
VulDB Coordinator Advisory
strangerss Researcher Disclosure
CSDN Blog Disclosure
CNBlogs Disclosure
Credit: strangerss
Description: Weaver E-cology versions 8.x and 9.x prior 10.58.2 contain an XML external entity (XXE) vulnerability in the /rest/ofs/*ByXml request handling logic, including /rest/ofs/ReceiveCCRequestByXml and /rest/ofs/deleteUserRequestInfoByXml. The application parses attacker-supplied XML with insufficient restriction on external entity resolution, which can allow an unauthenticated remote attacker to induce outbound requests (SSRF) and potentially access sensitive data. Exploitation evidence was first observed by the Shadowserver Foundation on 2023-08-16 (UTC).
VulnCheck KEV: This advisory is in the VulnCheck KEV database

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo