Listen to this Post
The vulnerability stems from the XMLBuilder component in fast-xml-parcher versions prior to 5.7.0 failing to escape two critical delimiter sequences when constructing XML from JavaScript objects: `–>` (the XML comment end marker) and `]]>` (the CDATA end marker). An attacker who can control the content placed into an XML comment or CDATA section can supply a value that includes `–>` prematurely closing the comment, followed by arbitrary XML/HTML, and then optionally `` and `]]>` before they reach the XML builder.
Impact
- Web applications that render user-supplied XML comments in a browser context become vulnerable to cross-site scripting (XSS), leading to session theft, credential harvesting, or defacement.
- RSS/Atom feed generators using CDATA for content descriptions can be forced to inject arbitrary scripts, compromising feed readers or aggregators.
- SOAP services built with the XMLBuilder may suffer from SOAP injection, allowing an attacker to alter the message structure, invoke unintended operations, or probe for internal APIs.
- General XML data manipulation can corrupt business logic or lead to denial-of-service through malformed XML that breaks downstream parsers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
