VERIFIED SOLUTION i

EngageOne - How to resolve XML External Entity Injection Vulnerability

Product Feature: Security


 
An XML Injection vulnerability was identified which allows access to potentially sensitive resources such as local files or remote websites. This could result in a Denial-of-Service (DoS) condition under some circumstances.

The flaw allows users of the application to read the contents from file on the filesystem and cause denial of service conditions, thereby resulting in a breach of confidentiality and availability.

Reconfigure the XML Parser to disallow resolving of external entities.

Resolved in all builds of EngageOne later than 3.1.2.27078.Build57.
UPDATED:  April 19, 2017