CVE-2021-42194

Name of the Vulnerable Software and Affected Versions EyouCms version 1.5.4-UTF8-SP3

Description The issue arises from the wechat return function in /controller/Index.php, which passes user input directly into the simplexml load string function without prohibiting external entities. This triggers a XML external entity (XXE) injection issue.

Recommendations For EyouCms version 1.5.4-UTF8-SP3, consider modifying the wechat return function to properly sanitize user input before passing it to the simplexml load string function, or apply configuration changes to prohibit external entities. At the moment, there is no information about a newer version that contains a fix for this vulnerability.