XXE injection can occur in i-net Clear Reports 2019 19.0.287 (Designer), as used in i-net HelpDesk and other products, when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12684
Reference (s):
- https://www.inetsoftware.de/documentation/clear-reports/release-notes/releases/changes_20.4
- https://www.inetsoftware.de/documentation/clear-reports/release-notes/releases