xwiki-commons-xml is vulnerable to XML External Entity (XXE) Injection. The parse
function of XMLUtils.java
does not disable access to external entities by default, allowing an attacker to submit a malicious XML document to perform requests on behalf of the server.
github.com/advisories/GHSA-m2r5-4w96-qxg5
github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5
github.com/xwiki/xwiki-commons/commit/abe79aaa31d4e8d8caaadfb7454227fb92ed7b18
github.com/xwiki/xwiki-commons/commit/e34a97dc645a1f18c0d0938e7faff2a3fff008f7
github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5
jira.xwiki.org/browse/XWIKI-18946