SYNC-2021-2809 - XML eXternal Entity (XXE) vulnerability

Severity: Medium2021-10-18

Security Advisories

Abstract

The logback-core package is vulnerable to XML eXternal Entity (XXE) attacks. The buildSaxParser() method in the SaxEventRecorder class processes malicious external entities by default due to an unsafe XML parser configuration.

The Oxygen XML products incorporates the logback-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Editor 23.1 and older versionsMediumOxygen XML Editor 24.0
Oxygen XML Developer 23.1 and older versionsMediumOxygen XML Developer 24.0
Oxygen XML Author 23.1 and older versionsMediumOxygen XML Author 24.0
Oxygen Publishing Engine 23.1 and olderMedium Oxygen Publishing Engine 24.0
Oxygen Publishing Engine 23.1 build 2021121413

Mitigation

None

Detail

SYNC-2021-2809

Severity: Medium

CVSS Score: 5.1

The logback-core third-party library used by Oxygen XML software products is an affected version.

Starting with Oxygen 24.0, the logback-core was updated to version 1.2.6, which fixes this vulnerability.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Oxygen AI Positron: Your Helper in All Stages of Content Creation
May 8, 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor