Unrated severityNVD Advisory· Published Apr 27, 2011· Updated Apr 29, 2026

CVE-2010-3260

Description

oxf/xml/xerces/XercesSAXParserFactoryImpl.java in the xforms-server component in the XForms service in Orbeon Forms before 3.9 does not properly restrict DTDs in Ajax requests, which allows remote attackers to read arbitrary files or send HTTP requests to intranet servers via an entity declaration in conjunction with an entity reference, related to an "XML injection" issue.

Affected products

Orbeon/Forms14 versions
cpe:2.3:a:orbeon:forms:*:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:orbeon:forms:*:*:*:*:*:*:*:*range: <=3.8.1
- cpe:2.3:a:orbeon:forms:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:orbeon:forms:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:orbeon:forms:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:orbeon:forms:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:orbeon:forms:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:orbeon:forms:2.6:*:*:*:*:*:*:*
- cpe:2.3:a:orbeon:forms:2.7:*:*:*:*:*:*:*
- cpe:2.3:a:orbeon:forms:2.8:*:*:*:*:*:*:*
- cpe:2.3:a:orbeon:forms:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:orbeon:forms:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:orbeon:forms:3.6:*:*:*:*:*:*:*
- cpe:2.3:a:orbeon:forms:3.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:orbeon:forms:3.8:*:*:*:*:*:*:*

Patches

aba6681660f6

Implemented "[ #315668 ] Disable loading of external entities in XML parsing by default".

https://github.com/orbeon/orbeon-formsebruchezDec 4, 2010via nvd-ref

commit

1 file changed · +16 −25

src/java/org/orbeon/oxf/xml/xerces/XercesSAXParserFactoryImpl.java+16 −25 modified

@@ -4,13 +4,9 @@
 import org.xml.sax.SAXException;
 import org.xml.sax.SAXNotRecognizedException;
 
-import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Hashtable;
-import java.util.Map;
+import java.util.*;
 
 /**
  * Boasts a couple of improvements over the 'stock' xerces parser factory.
@@ -42,47 +38,43 @@ public class XercesSAXParserFactoryImpl extends SAXParserFactory {
     static {
         {
             final OrbeonParserConfiguration configuration = XercesSAXParser.makeConfig(false, true);
-            final Collection features = configuration.getRecognizedFeatures();
-            recognizedFeaturesNonValidatingXInclude = Collections.unmodifiableCollection(features);
+            final Collection recognizedFeatures = configuration.getRecognizedFeatures();
+            recognizedFeaturesNonValidatingXInclude = Collections.unmodifiableCollection(recognizedFeatures);
             defaultFeaturesNonValidatingXInclude = configuration.getFeatures();
-            // This was being done in XMLUtils.createSaxParserFactory before.  Maybe want to
-            // move it back if we decide to make this class more general purpose.
-            defaultFeaturesNonValidatingXInclude.put("http://xml.org/sax/features/namespaces", Boolean.TRUE);
-            defaultFeaturesNonValidatingXInclude.put("http://xml.org/sax/features/namespace-prefixes", Boolean.FALSE);
+            addDefaultFeatures(defaultFeaturesNonValidatingXInclude);
         }
         {
             final OrbeonParserConfiguration configuration = XercesSAXParser.makeConfig(false, false);
             final Collection features = configuration.getRecognizedFeatures();
             recognizedFeaturesNonValidatingNoXInclude = Collections.unmodifiableCollection(features);
             defaultFeaturesNonValidatingNoXInclude = configuration.getFeatures();
-            // This was being done in XMLUtils.createSaxParserFactory before.  Maybe want to
-            // move it back if we decide to make this class more general purpose.
-            defaultFeaturesNonValidatingNoXInclude.put("http://xml.org/sax/features/namespaces", Boolean.TRUE);
-            defaultFeaturesNonValidatingNoXInclude.put("http://xml.org/sax/features/namespace-prefixes", Boolean.FALSE);
+            addDefaultFeatures(defaultFeaturesNonValidatingNoXInclude);
         }
 
         {
             final OrbeonParserConfiguration configuration = XercesSAXParser.makeConfig(true, true);
             final Collection features = configuration.getRecognizedFeatures();
             recognizedFeaturesValidatingXInclude = Collections.unmodifiableCollection(features);
             defaultFeaturesValidatingXInclude = configuration.getFeatures();
-            // This was being done in XMLUtils.createSaxParserFactory before.  Maybe want to
-            // move it back if we decide to make this class more general purpose.
-            defaultFeaturesValidatingXInclude.put("http://xml.org/sax/features/namespaces", Boolean.TRUE);
-            defaultFeaturesValidatingXInclude.put("http://xml.org/sax/features/namespace-prefixes", Boolean.FALSE);
+            addDefaultFeatures(defaultFeaturesValidatingXInclude);
         }
         {
             final OrbeonParserConfiguration configuration = XercesSAXParser.makeConfig(true, false);
             final Collection features = configuration.getRecognizedFeatures();
             recognizedFeaturesValidatingNoXInclude = Collections.unmodifiableCollection(features);
             defaultFeaturesValidatingNoXInclude = configuration.getFeatures();
-            // This was being done in XMLUtils.createSaxParserFactory before.  Maybe want to
-            // move it back if we decide to make this class more general purpose.
-            defaultFeaturesValidatingNoXInclude.put("http://xml.org/sax/features/namespaces", Boolean.TRUE);
-            defaultFeaturesValidatingNoXInclude.put("http://xml.org/sax/features/namespace-prefixes", Boolean.FALSE);
+            addDefaultFeatures(defaultFeaturesValidatingNoXInclude);
         }
     }
 
+    private static void addDefaultFeatures(Map features) {
+        features.put("http://xml.org/sax/features/namespaces", Boolean.TRUE);
+        features.put("http://xml.org/sax/features/namespace-prefixes", Boolean.FALSE);
+        // For security purposes, disable external entities
+        features.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE);
+        features.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE);
+    }
+
     private final Hashtable features;
     private final boolean validating;
     private final boolean handleXInclude;
@@ -112,14 +104,13 @@ public void setFeature(final String key, final boolean val) throws SAXNotRecogni
         features.put(key, val ? Boolean.TRUE : Boolean.FALSE);
     }
 
-    public SAXParser newSAXParser() throws ParserConfigurationException {
+    public SAXParser newSAXParser() {
         final SAXParser ret;
         try {
             ret = new XercesJAXPSAXParser(this, features, validating, handleXInclude);
         } catch (final SAXException se) {
             // Translate to ParserConfigurationException
             throw new OXFException(se); // so we see a decent stack trace!
-//            throw new ParserConfigurationException(se.getMessage());
         }
         return ret;
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000