mxGraph vulnerable to XXE attacks
Critical severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Oct 19, 2023
Description
Published by the National Vulnerability Database
Feb 24, 2018
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Oct 19, 2023
Last updated
Oct 19, 2023
In
mxGraphViewImageReader.java
in mxGraph before 3.7.6, theSAXParserFactory
instance inconvert()
is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by/ServerView
.References