XML Library Xalan Security Update (MINDBREEZE16261)

ID: MINDBREEZE16261 
Affected Components: Mindbreeze InSpire G6, Mindbreeze InSpire G7, Mindbreeze InSpire SaaS 
Severity: 7.5 High 
Status: Final 
First published: February 2, 2021 
CVEs: CVE-2014-0107

Summary

The Apache Xalan TransformerFactory does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources.

Remediation

Hotfix Information

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:

• Mindbreeze InSpire 20.5 Release (Version 20.5.1.835)
• Mindbreeze InSpire SaaS 20.5 Release (Version 20.5.1.835)