Description

EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities.

Remediation

References

https://www.kb.cert.org/vuls/id/779243

https://www.securityfocus.com/bid/94864/

Related Vulnerabilities

CVE-2021-27850 Vulnerability in maven package org.apache.tapestry:tapestry-core

CVE-2020-1941 Vulnerability in maven package org.apache.activemq:activemq-web-console

CVE-2019-9155 Vulnerability in maven package org.webjars.npm:openpgp

CVE-2016-1000346 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

CVE-2016-10563 Vulnerability in npm package go-ipfs-dep

Severity

High

Classification

CWE-611 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory US Government Resource VDB Entry