Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SECURITY] Disallow XXE in RSS dashboard widget
Processing XML external entities is explicitly disallowed when retrieving RSS/XML data from a remote service. Code-wise it is handled as security issue - however it was not possible to actually exploit the code with current system distributions. Default processing of external entities has been disabled in libxml2 since verion 2.9 - thus, most systems are not affected by this issue. Resolves: #92329 Releases: master, 10.4 Change-Id: Ia00e98ea8e54472ad09fbf4beaf1481eaa5fd7a2 Security-Bulletin: TYPO3-CORE-SA-2020-012 Security-References: CVE-2020-26229 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66661 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
- Loading branch information