Description

EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities.

Remediation

References

https://www.kb.cert.org/vuls/id/779243

https://www.securityfocus.com/bid/94864/

Related Vulnerabilities

CVE-2022-25885 Vulnerability in npm package hummus

CVE-2021-21162 Vulnerability in npm package electron

CVE-2017-16024 Vulnerability in npm package sync-exec

CVE-2017-4971 Vulnerability in maven package org.springframework.webflow:spring-webflow

CVE-2016-10687 Vulnerability in npm package windows-selenium-chromedriver

Severity

High

Classification

CWE-611 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory US Government Resource VDB Entry