-
Task
-
Resolution: Won't Do
-
Medium
-
None
-
None
-
None
Improper Restriction of XML External Entity Reference ('XXE')
The resolution of external entity references is enabled. If attacker-controlled XML can be submitted to the XML parser here, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. This is known as an XML eXternal Entity (XXE) attack.
Configure the XML parser to disable external entity resolution.
References:
CWE (http://cwe.mitre.org/data/definitions/611.html)
OWASP (https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet)
WASC (http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities)