Bug 58046 - XML Entity expansion / injection possible
Summary: XML Entity expansion / injection possible
Alias: None
Product: POI
Classification: Unclassified
Component: POI Overall (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
Depends on:
Reported: 2015-06-17 12:09 UTC by Donald
Modified: 2015-06-26 12:05 UTC (History)
0 users

scan report (64.68 KB, application/pdf)
2015-06-17 12:09 UTC, Donald

Note You need to log in before you can comment on or make changes to this bug.
Description Donald 2015-06-17 12:09:19 UTC
Created attachment 32831 [details]
scan report

There are several places XML entity expansion / injection possible. See attached report.
Comment 1 Dominik Stadler 2015-06-26 12:05:07 UTC
The main classes in POI do take care to handle this correctly. All the items reported as "high" in the report are related to development/sample/scratchpad classes which are provided as showcases for how to use POI and are not intended for production use without further adjustments.

Please reopen if you think there is an actual vulnerability in code that is part of the core POI functionality.