XML External Entity (XXE) Injection

Vulnerability Details

The application parses XML input with external entity processing enabled, allowing attackers to include malicious external entities in XML documents.

An attacker could read local files, perform SSRF attacks, execute denial of service, or potentially achieve remote code execution.

Disable DTD processing and external entity resolution in XML parsers. Use less complex data formats like JSON where possible. Validate and sanitize XML input. Keep XML parsing libraries updated.

• https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing