-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from insecure XML parsing in the XSL transformation process. The patch explicitly adds 'factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)' to the TransformerFactory initialization in InputHandler.java. The absence of this security feature in versions ≤2.9 leaves the XML parser vulnerable to XXE attacks by not restricting external entity references. The transformTo method is directly modified in the fix, confirming it as the vulnerable code path.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.xmlgraphics:fop-core | maven | <= 2.9 | 2.10 |