Description

EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities.

Remediation

References

https://www.kb.cert.org/vuls/id/779243

https://www.securityfocus.com/bid/94864/

Related Vulnerabilities

CVE-2023-24998 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2014-3743 Vulnerability in npm package marked

CVE-2018-11797 Vulnerability in maven package org.apache.pdfbox:pdfbox

CVE-2023-49620 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-dao

CVE-2019-10291 Vulnerability in maven package org.jenkins-ci.plugins:netsparker-cloud-scan

Severity

High

Classification

CWE-611 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory US Government Resource VDB Entry