CVE-2017-18197

Name of the Vulnerable Software and Affected Versions: mxGraph versions prior to 3.7.6

Description: The issue concerns a missing configuration in the SAXParserFactory instance within the convert() function of mxGraphViewImageReader.java, which makes it susceptible to XML External Entity (XXE) attacks. This is demonstrated by the /ServerView endpoint.

Recommendations: For versions prior to 3.7.6, update to version 3.7.6 or later to resolve the issue. As a temporary workaround, consider configuring the SAXParserFactory instance to prevent XXE attacks by setting the necessary flags.