Closed seanboylan closed 8 years ago
ezvcard.util.XMLUtils
private static Document toDocument(InputSource in) throws SAXException, IOException { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setNamespaceAware(true); factory.setIgnoringComments(true); DocumentBuilder builder; try { builder = factory.newDocumentBuilder(); } catch (ParserConfigurationException e) { //should never be thrown because we're not doing anything fancy with the configuration throw new RuntimeException(e); } return builder.parse(in); }
Has an XXE vulnerability - Please dsiable External xml entity processing:
References: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
Thank you for reporting this, Sean. I will look into it.
Fixed in e7822b75b8825c659408830d4ff80b92ebcdb9f3.
ezvcard.util.XMLUtils
Has an XXE vulnerability - Please dsiable External xml entity processing:
References: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing