Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Untrusted user input is being passed directly to the xml2json XML parser without validation or sanitization, which can allow processing of dangerous XML content. This makes the application vulnerable to XML External Entity (XXE) attacks.
Impact#
If exploited, an attacker could access sensitive files on the server, perform server-side request forgery (SSRF), or disrupt application behavior by injecting malicious XML. This can lead to data leaks, unauthorized access, or compromise of backend systems.