This host is running Atlassian Crowd and is prone to xml external entity injection vulnerability.

Successful exploitation allow remote attackers to gain access to arbitrary files by sending specially crafted XML data.

Upgrade to version 2.5.4, 2.6.3, 2.7 or higher, For updates refer to http://www.atlassian.com/software/crowd/download

Flaw is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source.

Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9

Send a crafted data via HTTP POST request and check whether it is able to read the system file or not.

• http://www.commandfive.com/papers/C5_TA_2013_3925_AtlassianCrowd.pdf
• https://jira.atlassian.com/browse/CWD-3366

---

Updated on 2017-03-28