Trent Gordon

**Name of the Vulnerable Software and Affected Versions** ModbusPal version 1.6b **Description** The issue allows for an XML External Entity (XXE) attack. This occurs because projects and automations are saved in XML-based files (.xmpp and .xmpa respectively), which are susceptible to XXE injection. By sending a specially crafted .xmpp or .xmpa file to a user, when opened or imported in ModbusPal, it can return the contents of any local files to a remote attacker. **Recommendations** For ModbusPal version 1.6b, as a temporary workaround, consider avoiding the use of .xmpp and .xmpa files from untrusted sources until a patch is available. Restrict access to sensitive local files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Diving Log version 6.0 **Description** The issue allows attackers to remotely view local files through a crafted `dive.xml` file that is mishandled during a Subsurface import. This is related to an XXE (XML External Entity) issue. **Recommendations** For Diving Log version 6.0, update to a newer version that contains a fix for this issue to prevent attackers from remotely viewing local files.