Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code enables parsing of XML input with DTD processing and allows an external XmlResolver, which can be dangerous if the XML data comes from user input. This configuration makes the application vulnerable to XML External Entity (XXE) attacks.
Impact#
If exploited, an attacker could read sensitive files from the server, perform network requests from the application’s environment, or potentially execute denial-of-service attacks. This could lead to data leaks or compromise of the application’s underlying infrastructure.