CVE-2020-10683 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-10683 PUBLISHED

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

EPSS 6.96% · 91.4th percentile

Risk Scores

EPSS Score

6.96%

91.4th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:16.04:LTS	dom4j	0, 1.6.1+dfsg.3-2ubuntu1
Ubuntu:14.04:LTS	dom4j	1.6.1+dfsg.3-2ubuntu1, 0
Ubuntu:20.04:LTS	dom4j	0, 2.1.1-2
Ubuntu:18.04:LTS	dom4j	2.1.0-1, 2.1.0-2, 0

Timeline

Apr 15, 2020 CVE Published
Apr 14, 2021 EPSS Score
Sep 15, 2021 EPSS Score
Sep 18, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Feb 8, 2024 PoC Published
Mar 17, 2025 EPSS Score
Mar 30, 2025 EPSS Score
May 23, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2020-10683 third-party-advisory
https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658 third-party-advisory
https://ubuntu.com/security/notices/USN-4575-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2020-10683 third-party-advisory

Open in Interactive Console →