{"id":"CVE-2023-46502","details":"An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.","aliases":["GHSA-q74f-rf27-8hxc"],"modified":"2026-04-12T04:43:54.447355Z","published":"2023-10-30T23:15:08.857Z","references":[{"type":"ADVISORY","url":"https://gist.github.com/spookhorror/9519fc66d3946e887e4a86c06ddbee0e"},{"type":"FIX","url":"https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opencrx/opencrx","events":[{"introduced":"0"},{"last_affected":"b3a2556e7b2b24a681f1b578030d232686e4accf"},{"fixed":"ce7a71db0bb34ecbcb0e822d40598e410a48b399"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.2.2"}]}}],"versions":["opencrx-v4.0.0","opencrx-v4.1.0","opencrx-v4.2.0","opencrx-v4.3.0","opencrx-v4.3.0-rc.1","opencrx-v5.0-20200714","opencrx-v5.0-20200715","opencrx-v5.0-20200717","opencrx-v5.0-20200904","opencrx-v5.0.0","opencrx-v5.0.1","opencrx-v5.1.0","opencrx-v5.2.0","opencrx-v5.2.1","opencrx-v5.2.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-46502.json","vanir_signatures":[{"digest":{"length":251,"function_hash":"4624990091803290678707408489062354619"},"signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"file":"core/src/main/java/org/opencrx/application/uses/net/sf/webdav/methods/WebDavMethod.java","function":"getDocumentBuilder"},"id":"CVE-2023-46502-3c6a5e37","source":"https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399"},{"digest":{"threshold":0.9,"line_hashes":["39934885853195052450453065661908994518","266760719395484929759736260851091189294","178180256037544602447252192311388835290","121313014851447004866084138766703459135","245124452989860056839988864709991956380","34407548115015247540735715199724487811","335642789312503842925020677321699332321","243297730853301641368066154080238935851","200887312163165406206747308362111544549","70694710560957233126783157453894744840","225850866145583930326272788243098206114"]},"signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"core/src/main/java/org/opencrx/application/uses/net/sf/webdav/methods/WebDavMethod.java"},"id":"CVE-2023-46502-5c1e4dba","source":"https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399"}],"vanir_signatures_modified":"2026-04-12T04:43:54Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}