CVE-2021-42560

Name of the Vulnerable Software and Affected Versions CALDERA version 2.9.0

Description An issue was discovered in the Debrief plugin of CALDERA, where it receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner, which can be leveraged for XXE attacks, including File Exfiltration, Server Side Request Forgery, and Out of Band Exfiltration.

Recommendations For CALDERA version 2.9.0, consider disabling the Debrief plugin until a patch is available to prevent XXE attacks. Restrict access to the Debrief plugin to minimize the risk of exploitation. Avoid using the Debrief plugin for generating PDF documents with base64 encoded "SVG" parameters until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.