Published: 05/02/2020 Updated: 24/08/2020

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 828

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

An issue exists in SmartBear ReadyAPI up to and including 2.8.2 and 3.0.0 and SoapUI up to and including 5.5. When opening a project, the Groovy "Load Script" is automatically executed. This allows an malicious user to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the "Save Script" function, which is executed automatically when saving a project.

Vulnerable Product	Search on Vulmon	Subscribe to Product
smartbear readyapi
smartbear soapui

Advisory & PoC

CVE-2019-12180 Advisory & PoC SoapUI and ReadyAPI allow you to create or add dynamic contents to test cases (for example, to calculate a timestamp on the fly) using Apache Groovy Language scripts Execution of these scripts can be triggered in many ways and they are stored inside the XML "Project file" once a project is saved The "Load Script" funct

NVD-CWE-noinfo https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt https://nvd.nist.gov https://github.com/0x-nope/CVE-2019-12180

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2019-12180

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect