Ilyass-Armadin

**Name of the Vulnerable Software and Affected Versions** ERPNext versions prior to 15.104.3 ERPNext versions prior to 16.12.0 **Description** An improper restriction of XML external entity (XXE) reference in the EDI Module allows an authenticated attacker to read files from the local file system, including sensitive configuration files. XXE is a type of attack that occurs when an XML parser improperly processes external entity references within an XML document. **Recommendations** Update to version 15.104.3. Update to version 16.12.0.

**Name of the Vulnerable Software and Affected Versions** Exiftool versions prior to 13.54 **Description** Local code injection is possible through the manipulation of the `-ee` argument. The issue resides in the `Process mrld()` function within the `lib/Image/ExifTool/GM.pm` file, specifically affecting the JPEG, QuickTime, MOV, and MP4 components. **Recommendations** Upgrade to version 13.54.