Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code enables DTD parsing in XmlReaderSettings and then parses XML input received from a public method’s string parameter. This allows user-supplied XML to include external entities, which is unsafe.
Impact#
If exploited, an attacker could read sensitive files from the server, make network requests, or cause denial of service by submitting malicious XML. This may lead to data leakage, unauthorized access, or disruption of the application.