Kvakil

Name of the Vulnerable Software and Affected Versions: Logisim Evolution versions prior to 2.14.4 Description: The issue is related to an XML External Entity (XXE) vulnerability in the Circuit file loading functionality, specifically in the `loadXmlFrom` function within `src/com/cburch/logisim/file/XmlReader.java`. This can lead to information leaks and potentially Remote Code Execution (RCE) depending on the system configuration. The attack is exploitable if a victim opens a specially crafted circuit file. Recommendations: For versions prior to 2.14.4, update to version 2.14.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the `loadXmlFrom` function in `XmlReader.java` until the update is applied. Restrict access to specially crafted circuit files to minimize the risk of exploitation.