SYM_JSTS_0144 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Parsing XML input from users with the 'node-expat' library without proper validation or disabling external entities can expose your code to XML External Entity (XXE) attacks. This happens when untrusted XML data is processed without restrictions.
Impact
If exploited, attackers could read sensitive files from your server, perform server-side request forgery (SSRF), or potentially execute denial-of-service attacks. This can lead to data breaches, unauthorized access to internal resources, and compromise of the application's security.