Hi I am currently working an effort to patch security vulnerabilities identified in CVEs that are introduced by third-party libs. Part of doing that is assessing the risk and impact of these vulnerabilities. The question is "Does having to be an authenticated and authorized user to access a feature reduce or eliminate the risk and impact of a security vulnerability?" Is it like saying something is behind a firewall, therefore it is secure? Especially if that user group is pretty controlled? I know it may sound like a dumb question, but I'm thinking a large part of hacking is obtaining credentials or pretending to be someone else, therefore you are still vulnerable.
The specific vulnerability I am looking at is XML External Entity Injection (XXE) attacks. Our app is not open to non-authenticated users. So if you have to be given credentials to access the UI and services, can you assume that the limited group access works like a firewall and moves the risk and impact down significantly? Does the XXE assessment of HIGH criticality move down to LOW or maybe even none then?