Blackduck scans of the EM have revealed two vulnerabilities with HIGH CVSS score:
Scanned EM version:
10.8
.
1.6
Reported vulnerabilities:
BDSA-2018-5289
, severity
7.5 HIGH
File locations of the detected component:
Mozilla Rhino is vulnerable to XML external entities (XXE) due to an insecure XML parsing in the toXml
function. Applications that use this function to accept untrusted input could be vulnerable to information disclosure and minor integrity and availability impacts due to the requests sent and local files accessed by the external entities in the crafted XML document.
file locations:
plugins/com.wily.introscope.appmap.em_10.8.0.jar!/WebContent/WEB-INF/lib/json.jar
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
Release : 10.8
Fixed in 10.8 SP1