Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | High |
Description#
User-provided XML input is being parsed with the libxml library while the ’noent’ option is set to true. This setting allows external entities within the XML to be processed, opening the door to XML External Entity (XXE) attacks.
Impact#
If exploited, attackers can read sensitive files from your server, perform server-side request forgery (SSRF), or disclose internal system information. This can lead to data breaches, unauthorized access, or compromise of backend infrastructure.