FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Prosody XMPP server advisory 2022-01-13

Affected packages
prosody < 0.11.12

Details

VuXML ID e3ec8b30-757b-11ec-922f-654747404482
Discovery 2022-01-10
Entry 2022-01-14

The Prosody teaM reports:

It was discovered that an internal Prosody library to load XML based on does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

References

CVE Name CVE-2022-0217
URL https://prosody.im/security/advisory_20220113/