CVE-2018-19858

Name of the Vulnerable Software and Affected Versions PrinceXML versions 10 and below

Description The issue allows an attacker to gain file-read access and perform Server-Side Request Forgery (SSRF) attacks by exploiting the lack of protection against external entities in PrinceXML. This can be achieved by passing HTML that references an XML file, which PrinceXML will then fetch and parse.

Recommendations For PrinceXML versions 10 and below, consider disabling the parsing of external entities as a temporary workaround until a patch is available. Restrict access to sensitive files and minimize the risk of exploitation by limiting the use of PrinceXML for parsing untrusted input.