CVE-2023-28150 in JODF
Summary
by MITRE • 03/25/2023
An issue was discovered in Independentsoft JODF before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/01/2025
The vulnerability identified as CVE-2023-28150 affects the Independentsoft JODF library version prior to 1.1.110, presenting a critical XML external entity injection flaw that can be exploited through remote DTD references within DOCX files. This issue stems from inadequate input validation and processing of XML content, particularly when handling document formats that rely on XML-based structures. The vulnerability exists within the library's XML parsing mechanism, which fails to properly restrict external entity resolution during document processing operations.
The technical flaw manifests when the JODF library processes DOCX files that contain malicious XML content referencing remote DTD files. This creates an XXE injection vector where an attacker can craft a DOCX document containing crafted XML entities that reference external resources. When the vulnerable library processes such documents, it resolves these external entities, potentially allowing remote code execution, data exfiltration, or denial of service conditions. The vulnerability specifically impacts the library's ability to handle XML entities securely, making it susceptible to exploitation through carefully constructed document payloads that leverage XML parsing behaviors.
The operational impact of this vulnerability is significant for organizations relying on the JODF library for document processing. Attackers could exploit this weakness by sending malicious DOCX files to systems running vulnerable applications, potentially leading to unauthorized access to internal systems, data breaches, or complete system compromise. The vulnerability affects any application that utilizes the affected library for processing user-uploaded or externally received DOCX documents, creating a broad attack surface across various enterprise applications including content management systems, document processing platforms, and automated document handling workflows. The remote nature of the attack vector means that exploitation can occur without requiring local access to the target system.
Mitigation strategies for CVE-2023-28150 include immediate upgrade to Independentsoft JODF version 1.1.110 or later, which contains the necessary fixes to prevent XXE injection attacks. Organizations should also implement XML parser configuration changes that disable external entity resolution and DTD processing entirely within their applications. Additional protective measures include input validation and sanitization of all document uploads, network-level restrictions preventing access to external resources, and implementing web application firewalls that can detect and block suspicious XML patterns. This vulnerability aligns with CWE-611 (Improper Restriction of XML External Entity Reference) and maps to ATT&CK technique T1059.007 (Command and Scripting Interpreter: PowerShell) through potential exploitation pathways that could lead to command execution. Security teams should also consider implementing automated vulnerability scanning and monitoring for suspicious document processing activities to detect potential exploitation attempts.