diff --git a/Changelog b/Changelog
index 67833b2..a372879 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+Fix security issue CWE-611
Add support for CDATA section in the server response
1.13.0
diff --git a/pom.xml b/pom.xml
index b065300..ccacc48 100644
--- a/pom.xml
+++ b/pom.xml
@@ -42,6 +42,11 @@
jISO8601
0.2
+
+ xerces
+ xercesImpl
+ 2.12.2
+
com.github.tomakehurst
wiremock-jre8
diff --git a/src/main/java/de/timroes/axmlrpc/ResponseParser.java b/src/main/java/de/timroes/axmlrpc/ResponseParser.java
index 6feef08..6117937 100644
--- a/src/main/java/de/timroes/axmlrpc/ResponseParser.java
+++ b/src/main/java/de/timroes/axmlrpc/ResponseParser.java
@@ -10,6 +10,7 @@
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
@@ -45,9 +46,17 @@ public class ResponseParser {
public Object parse(SerializerHandler serializerHandler, InputStream response, boolean debugMode) throws XMLRPCException {
try {
-
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+
+ // Ensure the xml parser won't allow exploitation of the vuln CWE-611
+ // (described on https://cwe.mitre.org/data/definitions/611.html )
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ factory.setExpandEntityReferences(false);
factory.setNamespaceAware(true);
+ factory.setXIncludeAware(false);
+ factory.setExpandEntityReferences(false);
+ // End of the configuration of the parser for CWE-611
+
DocumentBuilder builder = factory.newDocumentBuilder();
Document dom = builder.parse(response);
if (debugMode ){