Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code enables XML external entity (XXE) processing by setting the XMLParseNoEnt flag when parsing XML with libxml2. This allows external entities in user-supplied XML, which can expose sensitive files or systems to attackers.
Impact#
If exploited, an attacker could read confidential files from the server, perform server-side request forgery (SSRF), or cause denial of service. This can lead to data breaches, exposure of internal systems, or disruption of application availability.