SYM_JSTS_0063 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User-supplied data is being parsed as XML by the xml2json library within an Express route handler without validation. This can allow attackers to craft malicious XML input that is processed by your server.
Impact
If exploited, attackers could read sensitive files from your server, perform server-side request forgery (SSRF), or cause denial of service. This can lead to data breaches, unauthorized access, or disruption of service, putting your application and its users at significant risk.