CVE-2021-46365: 
Java vulnerability analysis and mitigation

An issue in the Export function of Magnolia CMS v6.2.3 and below allows attackers to execute XML External Entity (XXE) attacks via a crafted XLF file. The vulnerability was discovered and disclosed in early 2022, affecting all versions of Magnolia CMS up to and including version 6.2.3 (NVD, MITRE).

The vulnerability exists in the Content Translation module's Export functionality when processing XLF files. The issue stems from unsafe XML parsing that allows for XML External Entity (XXE) attacks. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability can be exploited to read arbitrary files using the 'file:' protocol and the Export function, as well as to perform Server-Side Request Forgery (SSRF) attacks. An attacker could potentially access sensitive system files or make unauthorized internal network requests (GitHub Disclosure).

The vulnerability has been fixed in Magnolia CMS version 6.2.4. Users are strongly recommended to upgrade to this version or later to address the security issue (Release Notes).