SYM_RB_0060 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The code configures Rails to use LibXML for XML parsing, which can expose the application to XML External Entity (XXE) attacks. LibXML does not safely handle potentially dangerous XML input compared to the default REXML parser.
Impact
If exploited, attackers could read sensitive files, perform server-side request forgery (SSRF), or cause denial of service by sending specially crafted XML data. This could lead to data breaches or unauthorized access to internal resources.