Open douglm opened 10 years ago
Bedework seems to be vulnerable to the XXE exploit. See more: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
Fix along the lines of
String FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true);
Bedework seems to be vulnerable to the XXE exploit. See more: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
Fix along the lines of