CVE-2021-37425

Name of the Vulnerable Software and Affected Versions Altova MobileTogether Server versions prior to 7.3 SP1

Description The issue allows XXE attacks. Specifically, it enables attacks such as InfoSetChanges/Changes against the "/workflowmanagement" API endpoint, or reading the mobiletogetherserver.cfg file and then accessing the certificate and private key.

Recommendations For versions prior to 7.3 SP1, update to version 7.3 SP1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/workflowmanagement" API endpoint until a patch is available. Avoid using sensitive configuration files, such as mobiletogetherserver.cfg, in unsecured locations to minimize the risk of exploitation.