From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Affected Vendor and Product: - Vendor: Journeyx - Product: Journeyx (jtime) - Version: 11.5.4 2. Vulnerability Description: - Journeyx's soap_cgi.py API handler allows XML requests to contain references to external entities. - This enables unauthorized attackers to read local files, perform Server-Side Request Forgery (SSRF), and exhaust web server resources. 3. Technical Description: - From an unauthorized perspective, users can send HTTP requests to the "/jtcgi/soap_cgi.py" endpoint. - The HTTP request is processed as XML by the Journeyx web server. - The SOAP request is handled by a third-party component, SOAPpy, using the built-in XML parser "xml.sax". - Versions 3.7.1 and earlier of "xml.sax" allow XML external entities by default. - A custom "Parser.py" file can disable external entity processing. 4. Mitigation and Remediation Recommendations: - A custom "Parser.py" file can be used to disable external entity processing. - External entity processing can be disabled by modifying the "Parser.py" file. - Access to "/jtcgi/soap_cgi.py" can be blocked using ModSecurity rules. 5. Discoverer: - The vulnerability was discovered by Jaggar Henry of KoreLogic, Inc. 6. Disclosure Timeline: - January 31, 2024: KoreLogic notified Journeyx of their intent to disclose the vulnerability. - February 2, 2024: Journeyx confirmed receipt of vulnerability details. - February 9, 2024: Journeyx confirmed the vulnerability had been fixed. - July 1, 2024: KoreLogic notified Journeyx of the upcoming public disclosure. - August 7, 2024: KoreLogic publicly disclosed the vulnerability. 7. Exploitation Example: - A Python script is used to send SOAP requests attempting to exploit the vulnerability. - By modifying parameters in the SOAP request, attackers attempt to read files on the server. This information provides a detailed description of the Journeyx Unauthenticated XML External Entities Injection vulnerability, along with mitigation measures.