Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Handling the ‘ondoctype’ event in the ‘sax’ XML parser can introduce XML External Entity (XXE) vulnerabilities if external entities are processed from untrusted sources. This can happen if custom DTD entity definitions are implemented without proper security controls.
Impact#
If exploited, an attacker could access sensitive files on the server, perform server-side request forgery (SSRF), or leak confidential data through maliciously crafted XML input. This can lead to data breaches, exposure of internal resources, and compromise of the application’s integrity.