Description

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

Remediation

References

CVE-2014-3530

Related Vulnerabilities

Chamilo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2018-20329)

PHP NULL Pointer Dereference Vulnerability (CVE-2020-7062)

SharePoint Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-8569)

WordPress Plugin GTM4WP Cross-Site Scripting (1.9)

XWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2022-41927)

Severity

High

Classification

CVE-2014-3530 CWE-200

Tags

Missing Update Known Vulnerabilities