SYM_JSTS_0054 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | High |
Description
User-provided XML input is being parsed with the libxml library while the 'noent' option is set to true. This setting allows external entities within the XML to be processed, opening the door to XML External Entity (XXE) attacks.
Impact
If exploited, attackers can read sensitive files from your server, perform server-side request forgery (SSRF), or disclose internal system information. This can lead to data breaches, unauthorized access, or compromise of backend infrastructure.