XML Injection (aka Blind XPath Injection) in alovoa/alovoa


Reported on

Jul 23rd 2021

✍️ Description

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the SAML2AssertionValidator method. Access to external entities was not disabled in XML parsing.

🕵️‍♂️ Proof of Concept


💥 Impact

If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system.

We have contacted a member of the alovoa team and are waiting to hear back 2 years ago
Nho Quy Dinh validated this vulnerability 2 years ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nho Quy Dinh marked this as fixed with commit f3b393 2 years ago
Nho Quy Dinh has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation