Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13dnB2LTg1MjQtd2c2eM4AAXRX

mxGraph vulnerable to XXE attacks

In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserFactory instance in convert() is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by /ServerView.

Permalink: https://github.com/advisories/GHSA-wvpv-8524-wg6x
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13dnB2LTg1MjQtd2c2eM4AAXRX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: about 1 year ago


CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00679
EPSS Percentile: 0.80506

Identifiers: GHSA-wvpv-8524-wg6x, CVE-2017-18197
References: Repository: https://github.com/jgraph/mxgraph
Blast Radius: 23.5

Affected Packages

npm:mxgraph
Dependent packages: 83
Dependent repositories: 251
Downloads: 119,171 last month
Affected Version Ranges: < 3.7.6
Fixed in: 3.7.6
All affected versions: 3.7.1, 3.7.3, 3.7.4, 3.7.5
All unaffected versions: 3.7.6, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 3.9.8, 3.9.11, 3.9.12, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2