CVE-2018-1000889

Name of the Vulnerable Software and Affected Versions: Logisim Evolution versions prior to 2.14.4

Description: The issue is related to an XML External Entity (XXE) vulnerability in the Circuit file loading functionality, specifically in the loadXmlFrom function within src/com/cburch/logisim/file/XmlReader.java. This can lead to information leaks and potentially Remote Code Execution (RCE) depending on the system configuration. The attack is exploitable if a victim opens a specially crafted circuit file.

Recommendations: For versions prior to 2.14.4, update to version 2.14.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the loadXmlFrom function in XmlReader.java until the update is applied. Restrict access to specially crafted circuit files to minimize the risk of exploitation.