CVE-2018-1000124

Name of the Vulnerable Software and Affected Versions: I-librarian versions 4.8 and earlier

Description: The issue concerns a XML External Entity (XXE) vulnerability, which can allow an attacker to read the contents of a file and potentially conduct a Server-Side Request Forgery (SSRF) attack. This is exploitable by posting XML in the form import textarea parameter. The vulnerability is specifically located in the importmetadata.php file, at line 154, where the simplexml load string function is used.

Recommendations: For I-librarian versions 4.8 and earlier, consider disabling the simplexml load string function in the importmetadata.php file as a temporary workaround until a patch is available. Restrict access to the form import textarea parameter to minimize the risk of exploitation. Avoid using the form import textarea parameter in the affected API endpoint until the issue is resolved.