weixin-python is vulnerable to XML External Entity (XXE) Injection. The vulnerability exists due to the parse
function in msg.py
and the to_xml
function in pay.py
because xml entities are allowed to be resolved, allowing an attacker to inject and execute malicious XML documents to perform requests on behalf of the server.
CPE | Name | Operator | Version |
---|---|---|---|
weixin-python | le | 0.5.4 | |
weixin-python | le | 0.5.4 |