Total
1045 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-39586 | 1 Dell | 1 Emc Appsync | 2024-10-17 | N/A | 4.3 MEDIUM |
| Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure. | |||||
| CVE-2024-24743 | 1 Sap | 1 Netweaver Application Server Java | 2024-10-16 | N/A | 7.5 HIGH |
| SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected. | |||||
| CVE-2019-13990 | 5 Apache, Atlassian, Netapp and 2 more | 31 Tomee, Jira Service Management, Active Iq Unified Manager and 28 more | 2024-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. | |||||
| CVE-2022-4245 | 2 Codehaus-plexus, Redhat | 2 Plexus-utils, Integration Camel K | 2024-10-10 | N/A | 4.3 MEDIUM |
| A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. | |||||
| CVE-2023-45192 | 1 Ibm | 1 Doors Next | 2024-10-08 | N/A | 8.2 HIGH |
| IBM Engineering Requirements Management DOORS Next 7.0.2 and 7.0.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 268758. | |||||
| CVE-2024-3930 | 1 Perforce | 1 Akana Api | 2024-09-30 | N/A | 9.8 CRITICAL |
| In versions of Akana API Platform prior to 2024.1.0 a flaw resulting in XML External Entity (XXE) was discovered. | |||||
| CVE-2024-46985 | 1 Dataease | 1 Dataease | 2024-09-27 | N/A | 7.5 HIGH |
| DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, there is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability has been fixed in v2.10.1. | |||||
| CVE-2023-41365 | 1 Sap | 1 Business One | 2024-09-26 | N/A | 4.3 MEDIUM |
| SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. After successful exploitation, an attacker can cause limited impact on the confidentiality and no impact to the integrity and availability. | |||||
| CVE-2024-46984 | 1 Gematik | 1 Reference Validator | 2024-09-25 | N/A | 9.8 CRITICAL |
| The reference validator is a tool to perform advanced validation of FHIR resources for TI applications and interoperability standards. The profile location routine in the referencevalidator commons package is vulnerable to `XML External Entities` attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a `Server Side Request Forgery` attack. The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources. The problem has been patched with the 2.5.1 version of the referencevalidator. Users are strongly recommended to update to this version or a more recent one. A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem. | |||||
| CVE-2024-7098 | 1 Sfs | 1 Winsure | 2024-09-20 | N/A | 9.8 CRITICAL |
| Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection.This issue affects ww.Winsure: before 4.6.2. | |||||
| CVE-2022-22835 | 1 Overit | 1 Geocall | 2024-09-18 | 3.5 LOW | 6.5 MEDIUM |
| An issue was discovered in OverIT Geocall before version 8.0. An authenticated user who has the Test Trasformazione XSL functionality enabled can exploit a XXE vulnerability to read arbitrary files from the filesystem. | |||||
| CVE-2023-37233 | 1 Loftware | 1 Spectrum | 2024-09-18 | N/A | 8.8 HIGH |
| Loftware Spectrum before 4.6 HF14 allows authenticated XXE attacks. | |||||
| CVE-2023-46265 | 1 Ivanti | 1 Avalanche | 2024-09-17 | N/A | 9.8 CRITICAL |
| An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF). | |||||
| CVE-2024-21796 | 1 Dfeg | 1 Electronic Deliverables Creation Support Tool | 2024-09-10 | N/A | 5.5 MEDIUM |
| Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2023-48362 | 1 Apache | 1 Drill | 2024-09-10 | N/A | 8.8 HIGH |
| XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue. | |||||
| CVE-2023-46502 | 1 Opencrx | 1 Opencrx | 2024-09-09 | N/A | 9.8 CRITICAL |
| An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory. | |||||
| CVE-2019-12331 | 1 Phpoffice | 1 Phpspreadsheet | 2024-09-04 | 6.8 MEDIUM | 8.8 HIGH |
| PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚<!ENTITY‘ and thus allowing for an xml external entity processing (XXE) attack. | |||||
| CVE-2024-45048 | 1 Phpoffice | 1 Phpspreadsheet | 2024-09-04 | N/A | 6.5 MEDIUM |
| PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addressed in release version 2.2.1. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-38653 | 1 Ivanti | 1 Avalanche | 2024-08-15 | N/A | 7.5 HIGH |
| XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server. | |||||
| CVE-2024-6893 | 1 Journyx | 1 Journyx | 2024-08-08 | N/A | 7.5 HIGH |
| The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources. | |||||