During the security tests, it was shown that the analyzed application is vulnerable to XML Entity Expansion attacks. Initially, the use of a DOCTYPE block is shown to define a "Tarlogic" entity on a request. In the corresponding response, it can be seen that the server correctly processes the entity.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

IDM 14.5.1

XML Entity Expansion Vulnerability in TEWS

It is recommended to generally disable the processing of DOCTYPE blocks, avoiding the arbitrary definition of entities. To do so, the documentation of the XML "parser" being used must be consulted. Useful information on disabling processing for these entities on the most common development platforms can be found in the following OWASP references.

A HF for the Production Server Environment is available.Please raise a support ticket and request for the fix.