We found results for “”
WS-2022-0266
Good to know:
Date: August 11, 2022
mofh before 1.0.1 is vulnerable to Improper Restriction of XML External Entity Reference. The xml.etree.ElementTree module implements a simple and efficient API for parsing and creating XML data. Due to the issue, mpfh is vulnerable to Billion Laughs and Quadratic Blowup, which lead to Denial of Service (DoS). The patched versions utilize the defusedxml package instead of xml.etree.ElementTree. Note: To exploit the vulnerability, the user must be using a custom API URL which has to be manually given using the api_url argument, or MyOwnFreeHost's API must be hacked.
Language: Python
Severity Score
Severity Score
Weakness Type (CWE)
Improper Restriction of XML External Entity Reference ('XXE')
CWE-611Top Fix
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | LOW |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | NONE |
Integrity (I): | NONE |
Availability (A): | HIGH |