The pen tester has found in source analysis that the externa entities are not switched of during the processing of Excel-files. Excel files can contain XML-data. By adding XML injections to this XML data it is possible to add harmful code for the backend.
The vulnerability is caused by the fact that use of these entities is not explicitly switched of.
After each upgrade of the excel importer we manually deactivate the external entities in:
➢ excelimporter/reader/readers/ExcelXLSXDataReader.java:34
➢ excelimporter/reader/readers/ExcelXLSXHeaderReader.java:52
➢ excelimporter/reader/readers/ReadOnlySharedStringsTable.java:135
This is a manual action which can be forgotten easily.
We prefer that this issue is solved in the future versions of the excel importer