If those files are of an external origin (e.g. However they may be used in site or plugin code, e.g. Both the vulnerable method and the data handler are not used in the Kirby core. The `Xml::parse()` method is used in the `Xml` data handler (e.g. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF).\n\nKirby's `Xml::parse()` method used PHP's `LIBXML_NOENT` constant, which enabled the processing of XML external entities during the parsing operation. The Kirby core does not use any of the affected methods.\n\nXML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code.
A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g.
0 kommentar(er)
