CVE-2020-36124

Name of the Vulnerable Software and Affected Versions: Pax Technology PAXSTORE versions 7.0.8 20200511171508 and lower

Description: The issue allows an authenticated attacker to perform XML External Entity (XXE) injection, compromising the private keys of a JWT token. This enables the attacker to reuse the keys to manipulate access tokens, gaining access to the platform as any desired user, including both clients and administrators.

Recommendations: For versions 7.0.8 20200511171508 and lower, update to a version that includes a fix for the XML External Entity injection issue to prevent exploitation. As a temporary workaround, consider restricting access to JWT token private keys and limiting the reuse of access tokens until a patch is available.