SYM_JAVA_0013 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The XML parser is being created without disabling features that allow processing of external entities. This leaves the application vulnerable to attackers sending malicious XML data that can be interpreted in unsafe ways.
Impact
If exploited, an attacker could read sensitive files, perform server-side request forgery (SSRF), or cause denial of service by submitting specially crafted XML. This can lead to data breaches, unauthorized network access, or application downtime.