XXE is present but they is not used more ahead

Greetings fellows
I have a doubt about some XXE. What a should report ? I have some cases where the vulnerability exists but they don’t use this xml more ahead in the code.
XmlDocument objDocument = new XmlDocument();
objDocument.LoadXml(xmlOverride);

so in the project they .net 4.5 and some referentes in 3.5. Also the load the same stuff visual basic code.

so if the vulnerability exists but they don’t use this code more ahead is not vulnerable or yes ?

reference: https://www.jardinesoftware.net/2016/05/26/xxe-and-net/

If the code is there then is a vulnerability (unless is commented or from a third party library). We can’t ensure that they won’t use that code in the future. You can modify the Report Confidence to reasonable because of this.

1 Like