Cjbarth

**Name of the Vulnerable Software and Affected Versions** xml-crypto versions 4.0.0 through 5.x **Description** The issue is related to the default configuration of xml-crypto not checking the authorization of the signer, only verifying the validity of the signature. This allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass the default validation checks. The library trusts any certificate provided via a digitally signed XML document's `<KeyInfo />` element by default. An attacker can spoof signature verification by modifying the XML document and replacing the existing signature with one generated using a malicious private key. The estimated number of potentially affected devices is not explicitly stated, but the library is used by 402 projects and has around 1 million weekly downloads. **Recommendations** For versions 4.x and 5.x, check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation. For versions 4.x and 5.x, set `xml-crypto`'s `getCertFromKeyInfo` to `() => undefined` to force the use of an explicitly configured `publicCert` or `privateKey` for signature verification. Upgrade to version 6.0.0 or later to resolve the issue.