SoapUI Code Execution Vulnerability – CVE-2014-1202
In this blog post I will discuss a vulnerability I’ve found in the SoapUI product before version 4.6.4 (CVE-2014-1202).
I discovered this vulnerability during a penetration test in which I saw that the SoapUI software allows the clients to execute a Java code on the local machine by putting a Java code inside the following tag:
${=JAVA CODE};
The vulnerability allows the attacker to execute the java code on the victim’s machine, thereby putting in danger the SoapUI users, including developers, penetration testers, etc.