Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
The esapi package is vulnerable to XML External Entity (XXE) attacks. The loadPropertiesFromFile() method in the XmlEsapiPropertyLoader class allows external entities to be defined in user-controlled XML input files that can be used to configured the application. A remote attacker with control over the input file used to configure the application may craft a malicious XML file that could lead to Denial of Service (DoS), and in certain circumstances Remote Code Execution (RCE)
Attachments
Issue Links
- is a clone of
-
SLING-9616 Update to latest OWASP AntiSamy and ESAPI Java libraries
- Closed
- links to