XML Injection vulnerability vulnerability in dom4j 1.1 (CVE-2018-1000632)
Issue date: 01-11-2019Affects versions: 13.3, 13.2, 12.6, 11.2
Issue ID: SECURITY-121
Affected Product Version(s)
13.3.0, 13.2.2, 12.6.6, 11.2.15.1 (and previous patch releases)
Severity
Medium
Description
Dom4j 1.1 reported a XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document.
Dom4j is not directly used by Bloomreach Experience Manager, it can be included if the Enterprise Forms feature is used with a Velocity template using the Velocity XML-tools. For releases before 14.0 dom4j is now excluded as dependency. Release 14 will use a newer major release of Velocity.
Instructions
Every customer is advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.
If a project requires dom4j the dom4j dependency can be added to the project.