Description
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
Remediation
References
Related Vulnerabilities
WordPress Plugin AddToAny Share Buttons Cross-Site Scripting (1.6.6)
EspoCRM Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-7986)
WordPress 4.1.x Multiple Vulnerabilities (4.1 - 4.1.27)
Oracle Database Server CVE-2019-2571 Vulnerability (CVE-2019-2571)
Joomla! Core 1.5.x Multiple Cross-Site Scripting Vulnerabilities (1.5.0 - 1.5.20)