Description
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
Remediation
References
https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions
Related Vulnerabilities
CVE-2023-34062 Vulnerability in maven package io.projectreactor.netty:reactor-netty-http
CVE-2018-1000865 Vulnerability in maven package org.kohsuke:groovy-sandbox
CVE-2023-49799 Vulnerability in npm package nuxt-api-party
CVE-2023-44487 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2019-10449 Vulnerability in maven package org.jenkins-ci.plugins:fortify-on-demand-uploader