XSS to XXE in Prince v10 and below (CVE-2018-19858)
Introduction:This is a vulnerability I found while participating in a bug-bounty program earlier this year. It affects Prince, a software that converts "HTML, XHTML, or one of the many XML-based document formats" to PDF. SummaryPrince (versions 10 and below) is vulnerable to XML External Entities (X…