CVE-2023-50649 - XXE in Viola-GPX-Viewer

Description

The GPX Viewer web application is vulnerable to an external entity attack. Wherein a crafted GPX file can allow for a malicious user to dump sensitive files and information from the host machine. This can be done by injecting malicious entities into the context of the GPX file.

Proof of Concept

Install the application locally using the provided documentation via the code repository. Upload the malicious gpx file: https://drive.google.com/file/d/1o3LEc_8CV-guULaxO8Z9Q2lbND9V4l9M/view?usp=sharing

Observe the following output of /etc/passwd in the POC video PoC Video https://drive.google.com/file/d/1g1Gcp59jq0MGKXOX2HzcgzAB1kVnACkJ/view?usp=sharing

Impact

This can allow an attacker to inject arbitrary code into the context of the application. Dumping underlying host data such as /etc/passwd and various other sensitive files.