Description
In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation.
Remediation
References
http://www.securityfocus.com/bid/107844
https://bugs.eclipse.org/bugs/show_bug.cgi?id=545835
Related Vulnerabilities
CVE-2016-10595 Vulnerability in npm package jdf-sass
CVE-2022-3171 Vulnerability in maven package com.google.protobuf:protobuf-javalite
CVE-2019-17426 Vulnerability in maven package org.webjars.npm:mongoose
CVE-2014-3577 Vulnerability in maven package org.apache.httpcomponents:httpclient
CVE-2020-16044 Vulnerability in maven package org.webjars.npm:electron