Description
In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation.
Remediation
References
http://www.securityfocus.com/bid/107844
https://bugs.eclipse.org/bugs/show_bug.cgi?id=545835
Related Vulnerabilities
CVE-2019-12313 Vulnerability in npm package shave
CVE-2022-24948 Vulnerability in maven package org.apache.jspwiki:jspwiki-main
CVE-2020-28435 Vulnerability in npm package ffmpeg-sdk
CVE-2020-15087 Vulnerability in maven package io.prestosql:presto-main
CVE-2024-36401 Vulnerability in maven package org.geoserver.web:gs-web-app