CVE-2021-38490: 
Altova MobileTogether Server vulnerability analysis and mitigation

Altova MobileTogether Server before version 7.3 SP1 was found to contain an XML exponential entity expansion vulnerability. This security flaw, tracked as CVE-2021-38490, is distinct from CVE-2021-37425 and affects versions 7.0-7.3 and potentially earlier versions of the software (NVD, RedTeam Advisory).

The vulnerability is classified as CWE-776 (Improper Restriction of Recursive Entity References in DTDs - 'XML Entity Expansion'). The CVSS v3.1 base score is 7.5 (HIGH), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that the vulnerability is network-accessible, requires low attack complexity, and needs no privileges or user interaction to exploit (NVD).

The vulnerability allows users with access to at least one app to read arbitrary, non-binary files from the file system and perform server-side requests. Additionally, it can be exploited to deny the availability of the system. Attackers could potentially compromise sensitive server information, including server certificates and private keys (RedTeam Advisory).

The vulnerability has been fixed in version 7.3 SP1 of Altova MobileTogether Server. No other workarounds were known at the time of discovery. Users are advised to upgrade to the fixed version to protect against this vulnerability (RedTeam Advisory).