Key Vulnerability Information from the Webpage Screenshot Vulnerability: XML External Entity (XXE) Vulnerability Product / Versions: OpenClinica Community Edition - 3.13 (Changeset: 74f4df3481b6, 2017-02-28) - 3.12.2 (Changeset: 347dcfca3d17, OpenClinica VM Image) Affected Area: Tasks → Import CRF Data (multipart upload parameter: ) Authentication: Authenticated (tested as Data Manager and Clinical Research Coordinator) Summary: The XML parser processes external entities. A crafted XML can read local files (e.g., ) and reflect their contents back in the UI error block, confirming XXE with file disclosure and potential SSRF. Proof of Concept (PoC): evil.xml: malicious.dtd: Raw Request (Abridged): Impact: Read arbitrary local files as the application user (secrets, config, keys) Potential SSRF by pointing entities at internal HTTP services Severity (Suggested): CVSS v3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N → 7.1 High CWE: 611 (XXE) Remediation: Disable DTD/XXE on the XML parser: - - - - Validate uploaded XML against a strict schema server-side. Minimize file permissions of the OpenClinica/Tomcat user. Timeline: 2025-10-09: Discovered and reproduced on 3.12.2 and 3.13 images. 2025-10-09: Attempted to contact vendor, no response. 2025-10-23: Reported to VulDB.