Sharon Briznov

**Name of the Vulnerable Software and Affected Versions** GE Gas Power ToolBoxST version v04.07.05C **Description** The issue is related to an XML external entity (XXE) vulnerability using the DTD parameter entities technique. This could result in the disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file. **Recommendations** For GE Gas Power ToolBoxST version v04.07.05C, ensure that input passed to the XML parser is properly sanitized to prevent exploitation of the XXE vulnerability. As a temporary workaround, consider restricting access to the XML parser or limiting the parsing of XML project/template files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.