Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The XML parser is being created without disabling features that allow processing of external entities. This leaves the application vulnerable to attackers sending malicious XML data that can be interpreted in unsafe ways.
Impact#
If exploited, an attacker could read sensitive files, perform server-side request forgery (SSRF), or cause denial of service by submitting specially crafted XML. This can lead to data breaches, unauthorized network access, or application downtime.