jadx-core is vulnerable to xml external entity attacks. The vulnerability exists in the parseXml
function of ExportGradleProject.java
as it does not set disallow-doctype-decl
attribute in the DocumentBuilderFactory
, allowing an attacker to export a malicious android application with a crafted AndroidManifest file to Gradle.