Miggo Logo
Miggo Vulnerability Database
CVE-2020-26705

CVE-2020-26705:
XML External Entity vulnerability in Easy-XML

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-26705
GHSA ID
GHSA-v899-28g4-qmh8
EPSS Score
0.54837%
CWE
CWE-611
Published
11/1/2021
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
easy-xmlpip<= 0.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies parseXML as the vulnerable function across all sources (CVE, GHSA, PyPA advisory). XXE vulnerabilities typically occur when XML parsers resolve external entities by default. The function's name and role in processing XML input align directly with the described attack vector. While the exact file path isn't explicitly documented, the package's naming convention suggests it would reside in easy_xml.py.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p*rs*XML *un*tion in **sy-XML *.*.* w*s *is*ov*r** to **v* * XML *xt*rn*l *ntity (XX*) vuln*r**ility w*i** *llows *or *n *tt**k*r to *xpos* s*nsitiv* **t* or p*r*orm * **ni*l o* s*rvi** (*OS) vi* * *r**t** *xt*rn*l *ntity *nt*r** into t** XML *on

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s `p*rs*XML` *s t** vuln*r**l* *un*tion **ross *ll sour**s (*V*, **S*, PyP* **visory). XX* vuln*r**iliti*s typi**lly o**ur w**n XML p*rs*rs r*solv* *xt*rn*l *ntiti*s *y ****ult. T** *un*tion's n*m* *n