CVE-2021-27931

Name of the Vulnerable Software and Affected Versions: LumisXP (aka Lumis Experience Platform) versions prior to 10.0.0

Description: The issue allows unauthenticated blind XXE via an API request to "PageControllerXml.jsp". An attacker can send a request crafted with an XXE payload to achieve outcomes such as reading local server files or denial of service.

Recommendations: For versions prior to 10.0.0, update to version 10.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "PageControllerXml.jsp" endpoint until a patch is available. Avoid using the vulnerable API endpoint with crafted XXE payloads until the issue is resolved.