XXE in Logisim 2.7.1 and forks

Description

Logisim 2.7.1 and all forks are vulnerable to an XML External Entity attack through a maliciously constructed circuit file. Example exploits of XXE are available on OWASP, and work with minor modification to fit the format of the Logisim circuit files.

Mitigation

The official Logisim is no longer maintained, according to its website. As such, no attempt was made to notify the origina lmaintainer. However, various forks of Logisim are maintained, and all were vulnerable to this issue. We notified the maintainers of the most common fork (Logisim Evolution) and the issue was fixed in version 2.14.4 (all prior versions are vulnerable).