The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call.
Credits
Sharon Brizinov with Claroty reported these vulnerabilities to CISA.
