The xml.etree.ElementTree
module that mofh used up until version 1.0.1
implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:
The Problem has been patched starting from version 1.0.1
by utilising the defusedxml
package instead of xml.etree.ElementTree
.
For this vulnerability to be exploited the user must be using a custom API URL, which has to be manually given using the api_url
argument, or MyOwnFreeHostβs API must be hacked. So, if the user did not use a custom API URL they should be fine, however, upgrading is still advised.
Another workaround could be to call defusedxml.defuse_stdlib()
before making any requests using the client.