SYM_JAVA_0130 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code creates a TransformerFactory for XML processing without disabling external DTDs and stylesheets. This leaves the application vulnerable to XML External Entity (XXE) attacks because it allows XML input to reference external resources.
Impact
If exploited, an attacker could read sensitive files from the server, perform server-side request forgery (SSRF), or cause denial of service. This can lead to data breaches, exposure of internal systems, and significant security risks for the application and organization.