CVE-2019-20153

Name of the Vulnerable Software and Affected Versions Determine Contract Lifecycle Management (CLM) version 5.4

Description An issue was discovered that allows authenticated remote attackers to read arbitrary files, including configuration files containing administrative credentials, due to an XML external entity (XXE) vulnerability in the upload definition feature in the definition upload attach.jsp file.

Recommendations For version 5.4, as a temporary workaround, consider restricting access to the definition upload attach.jsp file until a patch is available. Avoid using the upload definition feature in this version to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.