Lehanhua

Name of the Vulnerable Software and Affected Versions: mxGraph versions prior to 3.7.6 Description: The issue concerns a missing configuration in the SAXParserFactory instance within the convert() function of mxGraphViewImageReader.java, which makes it susceptible to XML External Entity (XXE) attacks. This is demonstrated by the /ServerView endpoint. Recommendations: For versions prior to 3.7.6, update to version 3.7.6 or later to resolve the issue. As a temporary workaround, consider configuring the SAXParserFactory instance to prevent XXE attacks by setting the necessary flags.