Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-10852

Upgrade ESAPI to 2.2.3.0

    XMLWordPrintableJSON

Details

    Description

      The esapi package is vulnerable to XML External Entity (XXE) attacks. The loadPropertiesFromFile() method in the XmlEsapiPropertyLoader class allows external entities to be defined in user-controlled XML input files that can be used to configured the application. A remote attacker with control over the input file used to configure the application may craft a malicious XML file that could lead to Denial of Service (DoS), and in certain circumstances Remote Code Execution (RCE)

      Attachments

        Issue Links

          is a clone of

          Improvement - An improvement or enhancement to an existing feature or task. SLING-9616 Update to latest OWASP AntiSamy and ESAPI Java libraries

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Github PR #11

          Activity

            People

              radu Radu Cotescu
              arun92ram Arun Kumar Ram
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 0.5h
                  0.5h