Vulnerabilities > Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

DATE CVE VULNERABILITY TITLE RISK
2008-08-27 CVE-2008-3281 XML Entity Expansion vulnerability in multiple products
libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.
6.5
2003-12-31 CVE-2003-1564 XML Entity Expansion vulnerability in Xmlsoft Libxml2
libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."
network
low complexity
xmlsoft CWE-776
6.5