XML Injection vulnerability vulnerability in dom4j 1.1 (CVE-2018-1000632) - Bloomreach Experience - Open Source CMS

XML Injection vulnerability vulnerability in dom4j 1.1 (CVE-2018-1000632) 

Issue date: 01-11-2019
Affects versions: 13.3, 13.2, 12.6, 11.2

Issue ID: SECURITY-121

 

Affected Product Version(s)
13.3.0, 13.2.2, 12.6.6, 11.2.15.1 (and previous patch releases)


Severity 

Medium


Description

Dom4j 1.1 reported a XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document.

Dom4j is not directly used by Bloomreach Experience Manager, it can be included if the Enterprise Forms feature is used with a Velocity template using the Velocity XML-tools. For releases before 14.0 dom4j is now excluded as dependency. Release 14 will use a newer major release of Velocity.

Instructions

Every customer is advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.

If a project requires dom4j  the dom4j dependency can be added to the project.