XXE is present but they is not used more ahead

Greetings fellows
I have a doubt about some XXE. I have some cases where the vulnerability could exist but for example, the xml is not used more ahead in the code.
XmlDocument objDocument = new XmlDocument();

so in the project there is .net 4.5 and some referentes in 3.5. Also it is load the same stuff in visual basic code.

so if the vulnerability exists but the code is not used more ahead is not vulnerable, is it?

reference: https://www.jardinesoftware.net/2016/05/26/xxe-and-net/

If the code is there then is a vulnerability (unless is commented or from a third party library). We can’t ensure that they won’t use that code in the future. You can modify the Report Confidence to reasonable because of this.

1 Like