SYM_PY_0012 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using Python's built-in xmlrpc libraries can expose your application to XML-related security vulnerabilities because they do not properly handle malicious or malformed XML input. It's safer to use hardened libraries like defusedxml to process XML data.
Impact
If exploited, attackers could craft malicious XML to consume excessive resources (denial of service), access sensitive files, or execute unauthorized commands on the server. This can lead to system downtime, data breaches, or compromise of your application's integrity.