Alexey-Tschudnowsky

**Name of the Vulnerable Software and Affected Versions** referencevalidator versions prior to 2.5.1 **Description** The profile location routine in the referencevalidator commons package is vulnerable to `XML External Entities` attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a `Server Side Request Forgery` attack. The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources. **Recommendations** For versions prior to 2.5.1, update to version 2.5.1 or a more recent one to resolve the issue. As a temporary workaround, consider pre-processing or manual analysis of input XML resources for existence of DTD definitions or external entities to mitigate the problem.