Description

XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents, or other formats such as HTML for web pages, plain text. When the XSLT content is controlled by the user, various attacks are possible as described in the Impact section.

Remediation

Reconfigure your XSLT processor to protect against these attacks.

References

XSLT Security and Server Side Request Forgery

XSLT

XSLT (Nicolas Gregoire)

Related Vulnerabilities

Same origin method execution (SOME)

Unrestricted File Upload

SAP IGS XXE (CVE-2018-2392, CVE-2018-2393)

Unsafe use of Reflection

Zend Framework local file disclosure via XXE injection

Severity

High

Classification

CWE-91 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Acumonitor