Wednesday, January 15, 2014

SoapUI Code Execution Vulnerability - CVE-2014-1202

In this blog post I will discuss a vulnerability I’ve found in the SoapUI product before version 4.6.4 (CVE-2014-1202).
I discovered this vulnerability during a penetration test in which I saw that the SoapUI software allows the clients to execute a Java code on the local machine by putting a Java code inside the following tag:

${=JAVA CODE};