Moderate severityNVD Advisory· Published Nov 24, 2014· Updated May 6, 2026

CVE-2014-5325

Description

The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.directwebremoting:dwrMaven	< 2.0.11	2.0.11
org.directwebremoting:dwrMaven	>= 3.0.M1, < 3.0.RC3	3.0.RC3

Affected products

Directwebremoting/Direct Web Remoting3 versions
cpe:2.3:a:directwebremoting:direct_web_remoting:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:directwebremoting:direct_web_remoting:*:*:*:*:*:*:*:*range: <=2.0.10
- cpe:2.3:a:directwebremoting:direct_web_remoting:3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:directwebremoting:direct_web_remoting:3.0:rc2:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-hqw5-62gp-rqgmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-5325ghsaADVISORY
jvn.jp/en/jp/JVN91502163/index.htmlnvdWEB
jvndb.jvn.jp/jvndb/JVNDB-2014-000117nvdWEB
www.securityfocus.com/bid/71093nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000