XML Injection vulnerability vulnerability in dom4j 1.1 (CVE-2018-1000632)

Issue date: 01-11-2019
Affects versions: 13.3, 13.2, 12.6, 11.2

Issue ID: SECURITY-121

Affected Product Version(s)
13.3.0, 13.2.2, 12.6.6, 11.2.15.1 (and previous patch releases)

Severity

Medium

Description

Dom4j 1.1 reported a XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document.

Dom4j is not directly used by Bloomreach Experience Manager, it can be included if the Enterprise Forms feature is used with a Velocity template using the Velocity XML-tools. For releases before 14.0 dom4j is now excluded as dependency. Release 14 will use a newer major release of Velocity.

Instructions

Every customer is advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.

If a project requires dom4j the dom4j dependency can be added to the project.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

XML Injection vulnerability vulnerability in dom4j 1.1 (CVE-2018-1000632)