Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The parseXml() function is being used with the ’noent’ option set to true, which allows external entities in XML to be processed. If untrusted or user-supplied XML data is parsed this way, it can expose the application to XML External Entity (XXE) attacks.
Impact#
An attacker could exploit this to read sensitive files from the server, perform server-side request forgery (SSRF), or execute denial-of-service attacks. This could lead to data breaches, exposure of confidential information, or compromise of internal systems.