firefox: thunderbird: XSLT documents could bypass CSP

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: XSLT document loading incorrectly propagates the source document which bypassed its CSP...

GHSA-6CR6-PH3P-F5RF XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`

Impact XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where extern...

PT-2024-31547 · Unknown · Hl7 Fhir Core Artifacts

Name of the Vulnerable Software and Affected Versions: HL7 FHIR Core Artifacts repository versions prior to 6.3.23 Description: The issue concerns XML external entity injections in XSLT transforms performed by various components. A processed XML file with a malicious DTD tag could produce XML...

Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs

It was found that the org.apache.catalina.servlets.DefaultServlet implementation in JBoss Web / Apache Tomcat allowed the definition of XML External Entities XXEs in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive informati...

Xalan-Java: insufficient constraints in secure processing feature

It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations XSLT content to be processed by an application using Xalan-Java could use this...