SYM_JAVA_0059 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description
The XMLInputFactory is created without disabling support for external entities. This leaves the code vulnerable to XML External Entity (XXE) attacks, as external entities can be processed by default.
Impact
If exploited, an attacker could read sensitive files, access internal network resources, or cause denial of service by submitting malicious XML input. This can lead to data breaches, exposure of confidential information, or disruption of application functionality.