Description

tsClinical Metadata Desktop Tools (and former tsClinical Define.xml Generator) has functionality that reads an XML file given by a user to validate the file or to convert the file to another format (Excel or HTML). If the user gives an XML file from a malicious third person to the tool, then a local file that meets specific conditions may be obtained by the third person.

Impact

If an XML file from a malicious third person contains XML External Entity (XXE), then a local file that meets the following conditions may be divulged to the third person:

• The local file path on the PC where this tool is running is known to the attacker.
• The local file content consists of only characters that XXE can load into a URL (i.e. the file is a text file that does not contain line break, ampersand "&", etc.)

Patches

This vulnerability is fixed with tsClinical Metadata Desktop Tools V1.1.1. See the Downloading and Running Binary Distribution section of README.md or README_ja.md for how to download and run the tool.
Note: Development of tsClinical Define.xml Generator has ended. Users of tsClinical Define.xml Generator are advised to use the successor tool, tsClinical Metadata Desktop Tools.

Workarounds

A user can work around this vulnerability by the following step:

• Do not use the following menus, or do not read unknown XML files in the following menus.