CVE-2018-1000830

An attacker can provide a malicious playlist file containing a reference to an external XML entity. When XR3Player parses this playlist, the weakly configured XML parser will process the external entity, leading to various impacts. These impacts include disclosure of confidential data, denial of service, server-side request forgery, and port scanning from the perspective of the XR3Player host machine [ref_id=1]. The vulnerability is triggered when the application parses user-supplied XML content [ref_id=1].

The vulnerability exists in the playlist parsing functionality of XR3Player. Specifically, the `ParsePlaylist.java` file at line 42 is mentioned as insecurely parsing user-supplied XML content [ref_id=1]. Additionally, the `JavaPlaylistParser/src/wseemann/media/jplaylistparser/parser/asx/ASXPlaylistParser.java` file at line 136 is cited for using `DocumentBuilderFactory` without securely disabling entities [ref_id=2].

The advisory recommends disabling external entity resolution in the XML parser to prevent XXE attacks [ref_id=2]. This involves configuring the `DocumentBuilderFactory` to not expand external entities, thereby mitigating the risk of malicious XML payloads. The patch does not show specific code changes, but the remediation guidance implies disabling entity expansion.