083 – XML injection (XXE)
Description
It is possible to inject XML code into the application's requests, which is then interpreted by the server. This could allow an attacker to perform data exfiltration or execute commands remotely.
Impact
Perform various attacks that compromise the confidentiality, integrity and availability of the system.
Recommendation
Filter the information that is received and sent by the application through white lists.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: L
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): L
- Integrity (VI): L
- Availability (VA): L
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: P