Andrus Adamchik

**Name of the Vulnerable Software and Affected Versions** Apache Cayenne versions 3.1 through 3.1.2 Apache Cayenne versions 3.2.M1 Apache Cayenne versions 4.0.B1 through 4.0.RC1 Apache Cayenne versions 4.0.M2 through 4.0.M5 Apache Cayenne version 4.1.M1 **Description** The issue affects CayenneModeler, a desktop GUI tool for editing Cayenne ORM models stored as XML files. An attacker can trick a user into opening a malicious XML file, allowing the attacker to transfer files from the local machine to a remote machine. This is caused by the XML parser processing XML External Entity (XXE) declarations in XML files. **Recommendations** For Apache Cayenne versions 3.1 through 3.1.2, update to a version where XXE processing is disabled in all operations that require XML parsing. For Apache Cayenne versions 3.2.M1, update to a version where XXE processing is disabled in all operations that require XML parsing. For Apache Cayenne versions 4.0.B1 through 4.0.RC1, update to a version where XXE processing is disabled in all operations that require XML parsing. For Apache Cayenne versions 4.0.M2 through 4.0.M5, update to a version where XXE processing is disabled in all operations that require XML parsing. For Apache Cayenne version 4.1.M1, update to a version where XXE processing is disabled in all operations that require XML parsing.