CVE-2018-1000840

Name of the Vulnerable Software and Affected Versions Processing version 3.4 and earlier

Description The issue concerns a XML External Entity (XXE) vulnerability in the loadXML() function. This vulnerability allows an attacker to read arbitrary files and exfiltrate their contents via HTTP requests. The attack is exploitable when the victim uses Processing to parse a crafted XML document.

Recommendations For Processing version 3.4 and earlier, as a temporary workaround, consider disabling the loadXML() function until a patch is available. Restrict access to sensitive files and minimize the use of Processing for parsing untrusted XML documents to reduce the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.