Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code creates an XmlTextReader that processes XML input from a public method without disabling DTD processing. This allows external entities in the XML to be resolved, which can be dangerous if the input is user-controlled.
Impact#
If exploited, an attacker could use specially crafted XML to read sensitive files from the server, perform server-side request forgery (SSRF), or cause denial of service. This can lead to data leakage, unauthorized access, or system compromise.