The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) up to and including 2.0.10 and 3.x up to and including 3.0.RC2 allow remote malicious users to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
directwebremoting direct web remoting |
||
directwebremoting direct web remoting 3.0 |