Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using Python’s built-in ‘xml’ library can expose your application to XML External Entity (XXE) attacks because it does not securely handle untrusted XML input. It’s recommended to use ‘defusedxml’ instead, which is designed to prevent these vulnerabilities.
Impact#
If exploited, attackers could read sensitive files from your server, perform server-side request forgery (SSRF), or cause denial of service with malicious XML payloads. This can lead to data breaches, unauthorized access, or service outages.