XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data (portswigger).
DOCTYPE
element, and checking if the value in the from
element gets replaced (the value will be replaced in the reflected messages sent by the application like error messages, search results).from
value with the content of a sensitive file (e.g. /etc/passwd
).