{"id":"CVE-2019-13358","details":"lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.","modified":"2026-04-10T04:14:41.920294Z","published":"2019-07-05T21:15:10.730Z","references":[{"type":"ADVISORY","url":"http://www.opencats.org/news/"},{"type":"REPORT","url":"https://github.com/opencats/OpenCATS/pull/440"},{"type":"EVIDENCE","url":"https://doddsecurity.com/312/xml-external-entity-injection-xxe-in-opencats-applicant-tracking-system/"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/164253/OpenCats-0.9.4-2-XML-Injection.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opencats/opencats","events":[{"introduced":"0"},{"fixed":"920a575cf6ef7d8c3b51be1847346ee62cd77c44"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.9.4-3"}]}}],"versions":["0.9.1a","0.9.3","0.9.3-1","0.9.3-2","0.9.3-3","0.9.4","0.9.4-1","0.9.4-2","delete","opencats-0.9.3","opencats-0.9.3(alpha)","opencats-0.9.3(final)"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13358.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}