CVE-2010-3260

Name of the Vulnerable Software and Affected Versions Orbeon Forms versions prior to 3.9

Description The issue is related to an "XML injection" problem, where the oxf/xml/xerces/XercesSAXParserFactoryImpl.java in the xforms-server component does not properly restrict DTDs in Ajax requests. This allows remote attackers to read arbitrary files or send HTTP requests to intranet servers via an entity declaration in conjunction with an entity reference.

Recommendations For versions prior to 3.9, update to version 3.9 or later to resolve the issue.