XML Injection (aka Blind XPath Injection) in alovoa/alovoa


Reported on

Jul 23rd 2021

✍️ Description

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the SAML2AssertionValidator method. Access to external entities was not disabled in XML parsing.

🕵️‍♂️ Proof of Concept


💥 Impact

If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system.

We have contacted a member of the alovoa team and are waiting to hear back 4 months ago
Nho Quy Dinh validated this vulnerability 4 months ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nho Quy Dinh confirmed that a fix has been merged on f3b393 4 months ago
Nho Quy Dinh has been awarded the fix bounty