CVE-2014-5325

Direct Web Remoting < 2.0.10 and 3.x < 3.0.RC2 - XML External Entity Injection via DOM Converter

Title source: llm
STIX 2.1

Description

The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

References (3)

Core 3
Core References
Third Party Advisory third-party-advisory x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000117
Third Party Advisory third-party-advisory x_refsource_jvn
http://jvn.jp/en/jp/JVN91502163/index.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/71093

Scores

EPSS 0.0232
EPSS Percentile 81.4%

Details

CWE
CWE-200
Status published
Products (3)
directwebremoting/direct_web_remoting 3.0 rc1 (2 CPE variants)
directwebremoting/direct_web_remoting < 2.0.10
org.directwebremoting/dwr 0 - 2.0.11Maven
Published Nov 24, 2014
Tracked Since Feb 18, 2026