An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file.
An attacker provides a crafted XML file containing references to external entities (External Entity). The XML parser used in the Dmoz2CSV component processes these entities without proper restrictions, leading to disclosure of local files or network resources (CWE-611). Additionally, the vulnerability includes CWE-91 (XML Injection), which may enable injection of malicious XML content and lead to arbitrary code execution (RCE).
An attacker can gain unauthorized access to sensitive files and system resources or execute arbitrary code on the server processing a malicious XML file.
Apply patches available from the vendor according to the references. Additionally, it is recommended to avoid processing untrusted XML files by the Dmoz2CSV component until the patch is applied, and to consider disabling external XML entity (XXE) support at the XML parser configuration level.
OpenIMAJ v1.3.10, Dmoz2CSV component (Maven artifact: org.openimaj.tools/WebTools)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpenimaj
APPOpenimaj1.3.10