Esteban Rodriguez

**Name of the Vulnerable Software and Affected Versions** Determine Contract Lifecycle Management (CLM) version 5.4 **Description** An issue was discovered that allows authenticated remote attackers to read arbitrary files, including configuration files containing administrative credentials, due to an XML external entity (XXE) vulnerability in the upload definition feature in the definition upload attach.jsp file. **Recommendations** For version 5.4, as a temporary workaround, consider restricting access to the definition upload attach.jsp file until a patch is available. Avoid using the upload definition feature in this version to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Determine Contract Lifecycle Management (CLM) version 5.4 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML through multiple `getchart.jsp` parameters. **Recommendations** For version 5.4, avoid using the vulnerable `getchart.jsp` parameters until a fix is available. As a temporary workaround, consider restricting access to the `getchart.jsp` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Determine Contract Lifecycle Management (CLM) version 5.4 **Description** An issue in report edit.jsp allows any authenticated user to execute Groovy code when generating a report. This results in arbitrary code execution on the underlying server. **Recommendations** For version 5.4, consider restricting access to the report edit.jsp page until a fix is available, and avoid generating reports from untrusted sources to minimize the risk of exploitation.