SYM_JAVA_0132 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code allows XML documents to include DOCTYPE declarations without disabling external entity processing. This means XML parsers can load external resources defined in the XML, which is insecure.
Impact
If exploited, an attacker could use XML External Entity (XXE) attacks to read sensitive files from the server, perform denial-of-service (DoS), or make network requests to internal resources, potentially exposing confidential data and compromising system integrity.