Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

WS-2022-0266

Good to know:

icon
icon

Date: August 11, 2022

mofh before 1.0.1 is vulnerable to Improper Restriction of XML External Entity Reference. The xml.etree.ElementTree module implements a simple and efficient API for parsing and creating XML data. Due to the issue, mpfh is vulnerable to Billion Laughs and Quadratic Blowup, which lead to Denial of Service (DoS). The patched versions utilize the defusedxml package instead of xml.etree.ElementTree. Note: To exploit the vulnerability, the user must be using a custom API URL which has to be manually given using the api_url argument, or MyOwnFreeHost's API must be hacked.

Language: Python

Severity Score

Related Resources (2)

https://github.com/Wallvon/mofh/commit/da0d33cfd368e2f237ab28bf7a7f00e3d281005a
https://www.mend.io/vulnerability-database/WS-2022-0266

Severity Score

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference ('XXE')

CWE-611

Top Fix

icon

Upgrade Version

Upgrade to version mofh - 1.0.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us