I am maintaining a ASP.NET Framework 4.6 application that uses Log4Net (version 1.2.10.0) to store logs. I read that it has XXE vulnerabilities, so I am thinking if I need to upgrade it.
As I understand the XXE attacks the user need to be able to upload a XML-configuration to the application? But my web app only use a XML-configuration that is within the app and are not public or accessable to the user. Do I still need to update the Log4net version? I am asking because I do not own the code for the app, and might have to require the owner to make the update.
