Description
In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation.
Remediation
References
https://bugs.eclipse.org/bugs/show_bug.cgi?id=545835
http://www.securityfocus.com/bid/107844
Related Vulnerabilities
CVE-2022-43434 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner
CVE-2022-36904 Vulnerability in maven package org.jenkins-ci.plugins:repository-connector
CVE-2023-25761 Vulnerability in maven package org.jenkins-ci.plugins:junit
CVE-2023-45885 Vulnerability in npm package openmct
CVE-2023-30524 Vulnerability in maven package org.jenkins-ci.plugins:reportportal