What is CVE-2024-6893?

CVE-2024-6893 is a vulnerability in Journyx (Jtime), classified under Improper Restriction of XML External Entity Reference (XXE). Published 2024-08-07.

Is CVE-2024-6893 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XXE in Journyx (Jtime)

CVE-2024-6893

The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.914 (99.7th percentile) — read the EPSS interpretation.

Affected products

Journyx (Jtime) — versions 11.5.4

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

Public proof-of-concept exploits

References

korelogic.com/Resources/Advisories/KL-001-2024-010.txt (third-party-advisory)

Frequently asked questions

What is CVE-2024-6893?: CVE-2024-6893 is a vulnerability in Journyx (Jtime), classified under Improper Restriction of XML External Entity Reference (XXE). Published 2024-08-07.
Is CVE-2024-6893 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.