The leakage of channel access token in platinum clinic Line 13.6.1 allows remote attackers to send malicious notifications to victims.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-47367: CVE-reports/platinum clinic.md at main · syz913/CVE-reports

The leakage of channel access token in best_training_member Line 13.6.1 allows remote attackers to send malicious notifications.

CVE-2023-47369: CVE-reports/best_training_member.md at main · syz913/CVE-reports

The leakage of channel access token in craft_members Line 13.6.1 allows remote attackers to send malicious notifications to victims.

CVE-2023-47366: CVE-reports/craft_members.md at main · syz913/CVE-reports

By Waqas
OpenAI and ChatGPT began experiencing service outages on November 8th, and the company is actively working to restore full service.
This is a post from HackRead.com Read the original post: ChatGPT Down? OpenAI Blames Outages on DDoS Attacks

Is your ChatGPT down? Are you experiencing issues with ChatGPT, such as connectivity problems or encountering a ‘Network error on long responses’? – ChatGPT has been under a series of DDoS attacks, apparently orchestrated by Anonymous Sudan.

OpenAI’s ChatGPT, a popular AI-powered chatbot, has been experiencing outages for the past 24 hours due to distributed denial-of-service (DDoS) attacks. The company confirmed the attacks in a statement on its status website, saying that it is working to mitigate the attacks and restore full service.

> _“We are dealing with periodic outages due to an abnormal traffic pattern reflective of a DDoS attack. We are continuing to work to mitigate this.“_
> 
> OpenAI on Nov 08, 2023 – 19:49 PST

According to OpenAI CEO Sam Altman, as of this week, ChatGPT now boasts 100 million weekly active users. While this places ChatGPT as the most popular platform on the internet, it also renders it a lucrative target for cybercriminals and hacktivists.

OpenAI has not yet said when it expects the ChatGPT outages to be fully resolved. However, the company has assured users that it is working to resolve the issue as quickly as possible.

ChatGPT’s status page as of Nov 09, 2023

The ChatGPT outages have had a significant impact on users of the service. Many users have been unable to access ChatGPT at all, while others have experienced intermittent outages.

DDoS attacks are a type of cyberattack in which an attacker sends a large number of requests to a website or server in order to overwhelm it and make it unavailable to legitimate users. In the case of ChatGPT, the attackers are flooding the service with more requests than it can handle, causing it to go down.

****Anonymous Sudan Claims Responsibility****

_Hackread.com_ can confirm that the responsibility for the attacks on OpenAI’s infrastructure has been claimed by Anonymous Sudan. The group shared various screenshots on its Telegram channel, depicting examples where OpenAI’s website and ChatGPT’s dashboard experienced downtime or displayed various errors and connectivity issues.

The group further elaborated on their motives for targeting OpenAI and ChatGPT, highlighting the reasons behind their DDoS attacks on one of the most popular platforms globally. In a Telegram post, they stated that as they are specifically targeting American companies, OpenAI, being an American company, is naturally among their prime targets.

The group additionally cited another major reason for targeting OpenAI, pointing to its association with the state of Israel, its investment plans in Israel, and the recent meeting between OpenAI’s CEO, Sam Altman, and the Israeli Prime Minister, Benjamin Netanyahu. Emphasizing their support for the Palestinians, the group mentioned this as a significant rationale behind targeting OpenAI and ChatGPT.

For your information, Anonymous Sudan is a group of hacktivists who claim to be affiliated with the Anonymous collective. However, cybersecurity experts have cast doubt on these claims, suggesting that Anonymous Sudan may be a front for other Russian hacktivist groups.

Anonymous Sudan first emerged in January 2023, when they launched a series of DDoS attacks against Swedish and Danish organizations in response to the far-right activist Rasmus Paludan. In February 2023, Anonymous Sudan also **DDoSed Swedish SAS Airlines**.

The group has since claimed responsibility for a number of other DDoS attacks, including attacks against X (formerly Twitter), Microsoft, and other Western targets.

If you are a user of ChatGPT, there is not much you can do to prevent DDoS attacks. However, you can check the OpenAI status page for updates on the situation and to see if the service is available. You can also try accessing ChatGPT at different times of day, as the attacks may not be continuous.

**_RELATED ARTICLES_**

1.  **Hackers Target Israeli Rocket Alert App Users with Spyware**
2.  **10 Top DDoS Attack Protection and Mitigation Companies in 2023**
3.  **Google, Cloudflare and AWS Disclose Largest DDoS Attack in History**
4.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**
5.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**
6.  **WormGPT – Malicious ChatGPT Alternative Empowering Cybercriminals**

ChatGPT Down? OpenAI Blames Outages on DDoS Attacks

The FBI is investigating a data breach where cybercriminals were able to steal patients’ records from a Las Vegas plastic surgeon's office and then publish them online.

The FBI is investigating a data breach where cybercriminals were able to steal patients’ records from a Las Vegas plastic surgeon’s office, and then post the details online which included nude photos.

In February, cybercriminals gained access to Hankins & Sohn’s network, which has offices in both Henderson and Las Vegas. From there, the cybercriminals were able to download patient information.

The practice sent a letter to patients in March and April notifying them of the breach.

> “On or about February 23, 2023, Hankins & Sohn became aware of suspicious activity relating allegations by an unknown actor that data was stolen from our network. We quickly took steps to investigate the validity of the claims and to assess the nature and scope of the activity and what information may have been affected. We are also working with law enforcement to investigate the activity. We learned that files were taken by the unknown actor prior to this date.”

Apparently, the cybercriminals didn’t get what they wanted from Hankins & Sohn and started posting the information online. Several patients and court documents say that the stolen data included sensitive personal information, such as names and Social Security numbers, but also nude photos of patients taken before and after surgery.

They cybercriminals didn’t stop at that. They sent the data, along with the nude photos, to family and friends through patients’ email accounts.

According to 8NewsNow, about a dozen women have since filed a lawsuit against the firm, claiming they did not do enough to protect their private and personal information. None of the documents posted online were encrypted. It was unclear Monday if Hankins & Sohn was storing its data per HIPAA rules. A spokesperson for the office that oversees HIPAA-related investigations declined to comment.

HIPAA is short for Health Insurance Portability and Accountability Act. HIPAA is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

The victims claim that the Hankins and Sohn failed to implement adequate and reasonable cybersecurity procedures and protocols to protect their Personally Identifiable Information (PII) and Protected health information (PHI).

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication. Where possible, use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

 Nude “before and after” photos stolen from plastic surgeon, posted online, and sent to victims&#8217; family and friends 

A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z.
"This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used

Endpoint Security / Malware

A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z.

"This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection," Malwarebytes' Jérôme Segura said.

While malvertising campaigns are known to set up replica sites advertising widely-used software, the latest activity marks a deviation in that the website mimics WindowsReport\[.\]com.

The goal is to trick unsuspecting users searching for CPU-Z on search engines like Google by serving malicious ads that, when clicked, redirect them to the fake portal (workspace-app\[.\]online).

At the same time, users who are not the intended victims of the campaign are served an innocuous blog with different articles, a technique known as cloaking.

The signed MSI installer that's hosted on the rogue website contains a malicious PowerShell script, a loader known as FakeBat (aka EugenLoader), which serves as a conduit to deploy RedLine Stealer on the compromised host.

"It is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page," Segura noted.

This is far from the first time deceptive Google Ads for popular software have turned out to be a malware distribution vector. Last week, cybersecurity firm eSentire disclosed details of an updated Nitrogen campaign that paves the way for a BlackCat ransomware attack.

Two other campaigns documented by the Canadian cybersecurity firm show that the drive-by download method of directing users to dubious websites has been leveraged to propagate various malware families like NetWire RAT, DarkGate, and DanaBot in recent months.

The development comes as threat actors continue to increasingly rely on adversary-in-the-middle (AiTM) phishing kits such as NakedPages, Strox, and DadSec to bypass multi-factor authentication and hijack targeted accounts.

To top it all, eSentire also called attention to a new method dubbed the Wiki-Slack attack, a user-direction attack that aims to drive victims to an attacker-controlled website by defacing the end of the first para of a Wikipedia article and sharing it on Slack.

Specifically, it exploits a quirk in Slack that "mishandle\[s\] the whitespace between the first and second paragraph" to auto-generate a link when the Wikipedia URL is rendered as a preview in the enterprise messaging platform.

It's worth pointing out that a key prerequisite to pulling off this attack is that the first word of the second paragraph in the Wikipedia article must be a top-level domain (e.g., in, at, com, or net) and that the two paragraphs should appear within the first 100 words of the article.

With these restrictions, a threat could weaponize this behavior such that the way Slack formats the shared page's preview results points to a malicious link that, upon clicking, takes the victim to a booby-trapped site.

"If one does not have ethical guardrails, they can augment the attack surface of the Wiki-Slack attack by editing Wikipedia pages of interest to deface it," eSentire said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers

Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms.

Thursday, November 9, 2023 08:11

*   Spammers are exploiting the "Release scores" feature of Google Forms quizzes to deliver email.
*   The emails originate from Google's own servers and consequently may have an easier time bypassing anti-spam protections and finding the victim's inbox.
*   Volumes of these messages hovered near noise levels but have recently spiked into the hundreds.

Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms. In particular, spammers have discovered that they can create a new quiz in Google Forms, use the victim’s email address to respond to the quiz, and then abuse the “Release Scores” feature of the Google Form to deliver their spam to the victim. Because the spam messages emanate from Google itself, the messages have a good chance of landing in the victim’s inbox.

A histogram showing the volume of “Score released:” emails for the past two years.

Cisco Talos examined a recent spam campaign in which the Subject headers all contained the text, “Score released:”. During our investigation, we quickly realized these messages were being generated through a feature of Google Forms’ quizzes. Google Forms abuse has been present in spam attacks for several years, though our investigation showed that this particular feature of Google Forms quizzes was not very heavily abused to send spam until relatively recently.

**Google Forms’ quizzes**

In Google Forms, when creating a new form, an author can choose to “Make this a quiz.” Choosing to release grades “Later, after manual review,” enforces the collection of email addresses in the quiz.

An example Google Forms quiz is configured to release grades after manual review.

Elsewhere, under the settings for Responses, choosing “Responder input” allows a spammer to fill in their form using any victim’s email address.

An example form configured to allow responder-controlled values for email addresses.

Once the form is configured in this way, a link to the form can be obtained and accessed by the spammer. The spammer then fills out the form using the victim’s email address and submits it. Whether the question in the quiz is answered does not matter. Afterward, the fake quiz responses generated by the attacker can be viewed.

Quiz responses as seen by the Google Forms quiz owner.

Clicking the “Release scores” dialog in the upper right will prompt the form owner to “Send emails and release” the scores. The message delivered as part of the email can be customized to include any text or URL, and the message will then be delivered by Google using the “From:” address of the Google account that created the quiz. Because the email messages generated using this technique emanate from Google’s servers, they stand a good chance of being delivered to the victim’s inbox. 

**Google Forms quiz spam used in an elaborate cryptocurrency scam**

A recent example of one of these Google Forms quiz score release spam attacks appears below. 

An example of a recent spam campaign utilizing the “Release scores” feature of Google Forms quizzes.

When the victim clicks the “View” button in this email, they are directed to the fake form response generated by the spammer.

Clicking “View” on a “Scores released:” spam directs the victim to the spammer-generated form response.

In this particular form response, the spammer has provided a link “>>> GO TO THE SITE” which points to another Google Form that asks the victim to confirm their email address. At this stage of the attack, when an email address is entered into the second form, the victim is provided a form response containing a link to an external website: go-procoinwhu\[.\]top. 

After the victim “confirms” their email address they are presented with a link to a third party website.

The go-procoinwhu\[.\]top domain was created only just created on October 28, 2023, but it is already seeing a large uptick in the number of DNS queries requesting it.

Clicking the go-procoinwhu\[.\]top link in the Google Form response results in a 302 redirect from Cloudflare, which directs the victim to https://hdlgr\[.\]dudicyqehama\[.\]top/, which is also hosted by Cloudflare. This domain was also recently created (October 25, 2023), and exhibits a very similar DNS traffic pattern in Umbrella Investigate.

When the victim navigates to the dudicyqehama.top website, they are presented with an elaborate scam website that claims that the victim possesses more than 1.3 Bitcoin in their account as a result of “automatic cloud Bitcoin mining,” which the site claims is worth more than $46,000 USD. 

A malicious cryptocurrency-related website claims the victim has over 1.3 BTC. 

Once the victim clicks “Continue,” they are brought into the main website “login page.” The username and password are pre-filled into the login form, so the victim only needs to click the “Sign in” button. 

A fake login form for the scammer's website. The username/password are pre-filled into the form.

Once logged in, it is readily apparent that the website goes to great lengths to appear legitimate. The site even includes a group chat feature near the bottom where you can see various other users discussing cryptocurrency-related topics. As a logged-in user, the victim can even comment. Watching the text scroll by in the chat, it becomes apparent that they are recycling the same comments over and over, and these are not real users.

The scammer's website tries very hard to look legitimate. They even include a fake group chat.

When the victim attempts to claim their Bitcoin from the main site, they are redirected to what looks like a live chat with an agent named “Sophia.”

When the victim tries to claim their BTC they are directed to a “live” chat with an agent named “Sophia.”

Sophia chats with us for a moment before sending a form to fill out to collect the Bitcoin.

Sophia sends the victim a form to fill out to collect their BTC. 

The form asks the victim to fill in their name, email address and the cashout method the user prefers. 

The victim must fill out a form indicating how they wish to receive the money from the BTC they exchanged for USD.

Once the form has been filled out and submitted, the victim is again redirected back to the chat with Sophia, who proceeds to give us a button to kick off the currency exchange of BTC into USD.

Sophia finishes chatting with the victim and provides a button to facilitate the Currency Exchange.

Now, we can begin to see the end game for this particular scam. The victim is instructed that to claim the almost $48,000 USD, the victim must pay an “exchange fee” of 0.25%, or $64 USD.

To receive the USD from the converted BTC, the victim must pay an exchange fee of 0.25%.

When the victim clicks “Exchange Bitcoin,” they are presented with one last form where the victim is prompted to enter their name, email and phone number. 

A payment form from the scammers. They are asking for $64.

Clicking “Pay” brings up a QR code for the BTC wallet of the spammers. Fortunately, nobody has fallen for this scam and paid the attackers, as the connected Bitcoin wallet was empty as of November 6, 2023.

The BTC wallet the attackers are using to receive the “exchange fee.”

The amount of setup work necessary to conduct a spam attack such as this, combined with the extraordinary attention to detail put into the social engineering for the subsequent cryptocurrency scam, demonstrates just how far cybercriminals will go when it comes to separating victims from even a small amount of money. As is usually the case with scams such as this, when something sounds too good to be true, it often is.

**IOCs**

IOCs for this research can also be found in our GitHub repository here.

Spammers abuse Google Forms’ quiz to deliver scams

By Deeba Ahmed
Palo Alto's Unit 42 Reveals Chinese APT Spying on 24 Cambodian Government Entities as Part of Long-Term Cyberespionage.
This is a post from HackRead.com Read the original post: Chinese APT Posing as Cloud Services to Spy on Cambodian Government

Cybersecurity researchers are confident that the targeted organizations are “still compromised” by “two prominent Chinese APT” groups.

Palo Alto Networks’ Unit 42 cybersecurity researchers have discovered that Chinese APT groups could be involved in a long-term espionage campaign against Cambodian government organizations using infrastructure masqueraded as cloud backup services.

According to the Unit 42 report, researchers noted network connections—specifically inbound connections—primarily originating from 24 Cambodian government organizations.

The researchers also believe that these organizations are ‘still compromised’ by ‘two prominent Chinese APT’ actors due to the infrastructure’s characteristics and the enduring persistence of these connections over several months.

It is worth noting that the certainty about the involvement of two **Chinese APT groups** stemmed from monitoring telemetry data, which established a clear link with these groups.

“We assess that these organizations are likely the targets of long-term cyberespionage activities that have leveraged this infrastructure for persistent access to government networks of interest,” said the Santa Clara, California-based cybersecurity giant.

These organizations were communicating regularly with the infrastructure between September and October 2023. Many of these organizations provided critical services to the following industries.

*   Politics
*   Commerce
*   Human rights
*   National defense
*   Election oversight
*   Natural resources
*   Telecommunications
*   National treasury and finance

The research emerged just days after **Canada banned the Chinese WeChat app** from all government devices due to spying concerns, prompting employees to promptly uninstall the application.

Researchers noted that organizations in these sectors could be targets of interest because of storing vast amounts of sensitive information, including financial data, classified government data, and PII (personally identifiable information) of citizens. They discovered at least six target-facing IP addresses used in the campaign, each hosting numerous subdomains. 

These domains were masqueraded as cloud storage services, which is the perfect alibi to create a sense of legitimacy to the unusually high traffic the server may observe during “high activity levels from the actor, such as data exfiltration from the victim network,” researchers wrote in their **blog post**.

Moreover, they had “high confidence” that these IP addresses served as the C2 infrastructure for the actor, and running the Cowrie honeypot on port 2222. Most likely, this honeypot was a cover to trick network defenders and security researchers investigating the “anomalous activity.”

In addition, they observed IP filtering on this infrastructure. It was used for blocking connections from IP ranges from known Palo Alto Networks several Big Tech and cybersecurity firms, and a number of VPS and cloud hosting providers. 

These C2 ports open only when the actor is active (between 08:30 and 17:30 UTC +08:00 (China Standard Time) on weekdays (Monday to Friday)) and remain closed otherwise. This means the actor is filtering connections to the malicious infrastructure to reduce the risk of C2 profiling by IP scanners or to evade detection.

Infrastructure overview of the Chinese APT groups (Unit42)

“This pattern might indicate the actor is attempting to avoid detection by blending into regular Cambodian business hours which are UTC +07:00.”

However, between September 29-October 8 2023, during China’s Golden Week and Special Working Days, the APT actors ceased their activity. This suggests that the attackers are based in **China** and following the country’s regular working hours, thus, validating Unit 42’s assessment regarding the attackers.

It is worth noting that Cambodia is **among** the signatories of the Chinese Belt and Road Initiative. The countries share strong economic and diplomatic relations. China has made significantly high investments to **modernize** Cambodia’s Ream Naval Base, despite that the project sparked **concerns** within the West. After completion, this base will become China’s first overseas outpost in Southeast Asia. This indicates that Cambodia is an important ally of China.

****_RELATED ARTICLES_****

1.  **Who Killed the IoT Zombie Mozi Botnet – China or India?**
2.  **Chinese Scammers Use Fake Loan Apps for Money Laundering**
3.  **Chinese Silent Skimmer Attack Hits Businesses in APAC and NALA regions**
4.  **Chinese Hackers Stole 60,000 US State Department Emails from Microsoft**
5.  **Chinese Smishing Triad Gang Hits US Users in Extensive Cybercrime Attack**
6.  **Chinese Hackers Stole Microsoft’s Signing Key to Breach Outlook Accounts**

Chinese APT Posing as Cloud Services to Spy on Cambodian Government

Iranian nation-state actors have been observed using a previously undocumented command-and-control (C2) framework called MuddyC2Go as part of attacks targeting Israel.
"The framework's web component is written in the Go programming language," Deep Instinct security researcher Simon Kenin said in a technical report published Wednesday.
The tool has been attributed to MuddyWater, an Iranian

Iranian nation-state actors have been observed using a previously undocumented command-and-control (C2) framework called **MuddyC2Go** as part of attacks targeting Israel.

"The framework's web component is written in the Go programming language," Deep Instinct security researcher Simon Kenin said in a technical report published Wednesday.

The tool has been attributed to MuddyWater, an Iranian state-sponsored hacking crew that's affiliated to the country's Ministry of Intelligence and Security (MOIS).

The cybersecurity firm said the C2 framework may have been put to use by the threat actor since early 2020, with recent attacks leveraging it in place of PhonyC2, another custom C2 platform from MuddyWater that came to light in June 2023 and has had its source code leaked.

Typical attack sequences observed over the years have involved sending spear-phishing emails bearing malware-laced archives or bogus links that lead to the deployment of legitimate remote administration tools.

The installation of the remote administration software paves the way for the delivery of additional payloads, including PhonyC2.

MuddyWater's modus operandi has since received a facelift, using password-protected archives to evade email security solutions and distributing an executable instead of a remote administration tool.

"This executable contains an embedded PowerShell script that automatically connects to MuddyWater's C2, eliminating the need for manual execution by the operator," Kenin explained.

The MuddyC2Go server, in return, sends a PowerShell script, which runs every 10 seconds and waits for further commands from the operator.

While the full extent of MuddyC2Go's features are unknown, it's suspected to be a framework that's responsible for generating PowerShell payloads in order to conduct post-exploitation activities.

"We recommend disabling PowerShell if it is not needed," Kenin said. "If it is enabled, we recommend close monitoring of PowerShell activity."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

MuddyC2Go: New C2 Framework Iranian Hackers Using Against Israel

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).


Skip to content

GitLab 

**XXE in eclipse IDE**

**Basic information**

**Project name:** org.eclipse.pde org.eclipse.jdt org.eclipse.platform org.eclipse.osgi

**Project id:** {id}

**What are the affected versions?**

probably all

**Details of the issue**

SonarLint reports many possible XXE attacks in eclipse IDE's sourcecode. for example: 

**Steps to reproduce**

Don't know. Probably manipulating development xml-files like "build.xml", "plugin.xml", "feature.xml", ".polyglot.feature.xml", ... which should be normally self contained and do not require access from external sources.

**Do you know any mitigations of the issue?**

https://rules.sonarsource.com/java/RSPEC-2755 recommends to replace "SAXParserFactory.newInstance();" with code that disables external access by properties see also https://cheatsheetseries.owasp.org/cheatsheets/XML\_External\_Entity\_Prevention\_Cheat\_Sheet.html

Tag

#git