Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The XMLInputFactory is created without disabling support for external entities. This leaves the code vulnerable to XML External Entity (XXE) attacks, as external entities can be processed by default.
Impact#
If exploited, an attacker could read sensitive files, access internal network resources, or cause denial of service by submitting malicious XML input. This can lead to data breaches, exposure of confidential information, or disruption of application functionality.