### [CVE-2017-9096](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9096)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brightgreen)

### Description

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

### POC

#### Reference
- https://www.oracle.com/security-alerts/cpuoct2020.html

#### Github
- https://github.com/0xCyberY/CVE-T4PDF
- https://github.com/A-TPL-Bench/LibHunter
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Anonymous-Phunter/PHunter
- https://github.com/CGCL-codes/LibHunter
- https://github.com/CGCL-codes/PHunter
- https://github.com/LibHunter/LibHunter
- https://github.com/jakabakos/CVE-2017-9096
- https://github.com/jakabakos/CVE-2017-9096-iText-XXE
- https://github.com/null9900/threadbox-evaluation
- https://github.com/spashx/cyclonedx2cytoscape
- https://github.com/terrylao/itext-4.2.2