Skip to content
This repository was archived by the owner on Sep 21, 2024. It is now read-only.
This repository was archived by the owner on Sep 21, 2024. It is now read-only.

Xml external entity injection #6

Description

@QiAnXinCodeSafe

The Domparser method in the InvokeDecoder.java uses the xml parser to parse the xml string without disabling the xml external entity, causing the attacker to construct a malicious xml string for the xce attack .
图片

The same problem exists in SAXParser.java and XMLConfig.java

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions