Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code creates an XML DocumentBuilder without disabling entity processing features. This leaves the application vulnerable to attackers crafting malicious XML that the parser will process insecurely.
Impact#
If exploited, attackers could read sensitive files, perform denial of service attacks, or make server-side network requests (SSRF) through malicious XML. This can lead to data leaks, system downtime, or unauthorized access to internal resources.