Since the CIR server requested the fictitious file, I could safely assume the server is vulnerable to XXE injection. To proceed to exploitation, I crafted the XML request to obtain the contents of the DTD file “ev.xml” hosted at http://adversary.site/ev.xml.

Read full news article on Solutionary