CREST Practitioner Security Analyst (CPSA) Practice 2026 - Free CPSA Practice Questions and Study Guide

The potential consequence of an XML External Entity (XXE) attack being confidential data disclosure is rooted in the nature of how XXE works. When an application processes XML input, it may allow an attacker to include malicious XML that references external entities or files. This can lead to the application unintentionally disclosing sensitive information stored on the server, such as configuration files, user data, or other sensitive documents.

When an attacker successfully exploits an XXE vulnerability, they can craft input that triggers the application to access and transmit restricted data back to the attacker's control. This can happen because the XML parser is directed to access files on the server or even make requests to other services, revealing confidential data unintentionally.

While database corruption, unauthorized access, and remote code execution are also serious security concerns, they are not the primary consequences directly associated with XXE vulnerabilities. XXE primarily facilitates the extraction of sensitive information, which is why confidential data disclosure is the correct answer in this context.