Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
When creating an XMLInputFactory instance, entity processing is not disabled, which means the parser may process external entities. This can allow attackers to inject malicious XML that accesses external resources or sensitive data.
Impact#
If exploited, attackers could read confidential files, perform denial-of-service attacks, or make the server access internal or external systems (SSRF). This could lead to data leaks, service disruption, or unauthorized network access.