CVE-2014-5325
Direct Web Remoting < 2.0.10 and 3.x < 3.0.RC2 - XML External Entity Injection via DOM Converter
Title source: llmDescription
The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000117
Third Party Advisory third-party-advisory
x_refsource_jvn
http://jvn.jp/en/jp/JVN91502163/index.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/71093
Scores
EPSS
0.0232
EPSS Percentile
81.4%
Details
CWE
CWE-200
Status
published
Products (3)
directwebremoting/direct_web_remoting
3.0 rc1 (2 CPE variants)
directwebremoting/direct_web_remoting
< 2.0.10
org.directwebremoting/dwr
0 - 2.0.11Maven
Published
Nov 24, 2014
Tracked Since
Feb 18, 2026