XDocReport XML External Entity Injection Vulnerability Allowing Arbitrary Code Execution
Vulnerability
A vulnerability allowing XML External Entity (XXE) injection has been identified in XDocReport versions 0.9.2 through 2.0.3. This vulnerability arises because the application processes user-uploaded .docx files using a SAXParser that does not disable DTD processing and external entity resolution. As a result, an attacker can craft a .docx file that, when processed, executes arbitrary code by exploiting the XXE vulnerability.
Impact
Exploitation of this vulnerability could lead to arbitrary code execution on the server where the affected XDocReport library is used.
Reproduction
To reproduce this vulnerability, upload a .docx file containing a crafted XML payload that includes a DOCTYPE declaration referencing an external entity. The XDocReport application will process the file and, due to the XXE vulnerability, the external entity will be resolved, potentially leading to arbitrary code execution.
Remediation
Users can update to the patched version of XDocReport, which is available on the project's GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.