logo

Dojo challenge #34 winners!

ID: 5a43e0d6-cca5-5d5a-8ba5-1da59f981e4b

STIX ID: report--5a43e0d6-cca5-5d5a-8ba5-1da59f981e4b

Feed Name: YesWeHack Blog | Cybersecurity Insights and Bug Bounty Trends| RSS Feed

Threat Score
55/100

Date Published: 2024-08-05

Date Updated: 2026-07-04

...
...

This report documents an XML External Entity (XXE) vulnerability in an AI image-generation web app where the XML SAX parser allows external general entities and a simple blacklist can be bypassed by submitting UTF-16-encoded, base64-wrapped XML. The author provides code analysis, example payloads (including a PoC that reads /etc/passwd and /tmp/flag.txt), an automation script, a risk assessment, and remediation guidance (disable external entities, use secure parsers, validate inputs).

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.