CVE-2018-19858
HIGHPrinceXML < 10.0 - XML External Entity Injection via HTML IFRAME Element
Title source: llmDescription
PrinceXML, versions 10 and below, is vulnerable to XXE due to the lack of protection against external entities. If an attacker passes HTML referencing an XML file (e.g., in an IFRAME element), PrinceXML will fetch the XML and parse it, thus giving an attacker file-read access and full-fledged SSRF.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://www.lynxsecurity.io/
Exploit, Third Party Advisory x_refsource_misc
https://hacking.us.com/blog/XSS-to-XXE-in-Prince/
Exploit, Third Party Advisory x_refsource_misc
https://www.youtube.com/watch?v=-7YIzYtWhzM
Scores
CVSS v3
8.6
EPSS
0.0260
EPSS Percentile
83.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (1)
princexml/princexml
< 10.0
Published
Jan 30, 2019
Tracked Since
Feb 18, 2026