Description
In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation.
Remediation
References
http://www.securityfocus.com/bid/107844
https://bugs.eclipse.org/bugs/show_bug.cgi?id=545835
Related Vulnerabilities
CVE-2021-39148 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2023-3691 Vulnerability in maven package org.webjars:layui
CVE-2021-25642 Vulnerability in maven package org.apache.hadoop:hadoop-yarn-server-resourcemanager
CVE-2017-2666 Vulnerability in maven package io.undertow:undertow-core
CVE-2022-29166 Vulnerability in npm package matrix-appservice-irc