Home > Vulnerability Database > CVE-2024-28198

Mend.io Vulnerability Database

CVE-2024-28198

Good to know:

Date: March 11, 2024

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using the draw.io integration it is possible to read arbitrary files as the configured system user and SSRF. The problem is fixed in version 18.1.6 and 18.2.2. It is advised to upgrade to the latest version of 18.1.x or 18.2.x. Users unable to upgrade may work around this issue by disabling the Draw.io module or the entire REST API which will secure the system.

Language: Java

Severity Score

4.6

Related Resources (5)

Url: https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-pqvm-h9mg-434c

Url: https://track.frentix.com/issue/OO-7553/XXE-injection-in-draw.io-endpoint

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-28198

Url: https://github.com/OpenOLAT/OpenOLAT/commit/23e6212e9412c3b099436159b8c8935321c91872

Url: https://www.mend.io/vulnerability-database/CVE-2024-28198

Severity Score

4.6

Top Fix

Upgrade Version

Upgrade to version OpenOLAT_18.1.6,OpenOLAT_18.2.2

Learn More

CVSS v3.1

Base Score:	4.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-28198

Good to know:

Date: March 11, 2024

Language: Java

Severity Score

Related Resources (5)

Severity Score

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?