{"id":"CVE-2021-42560","details":"An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded \"SVG\" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.).","modified":"2026-03-14T08:24:05.071388Z","published":"2022-01-12T19:15:08.267Z","references":[{"type":"ADVISORY","url":"https://github.com/mitre/caldera/releases"},{"type":"EVIDENCE","url":"https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-42560-Unsafe%20XML%20Parsing-MITRE%20Caldera"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mitre/caldera","events":[{"introduced":"0"},{"last_affected":"b874da9bf24ec9025a1016305642298143daaa8e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.9.0"}]}}],"versions":["2.0.0","2.1.0","2.3.0","2.3.1","2.6.0","2.6.1","2.6.2","2.6.3","2.6.4","2.6.5","2.6.6","2.6.64","2.6.65","2.7.0","2.8.0","2.8.1","2.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-42560.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}