Total
1045 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21680 | 1 Jenkins | 1 Nested View | 2023-11-22 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-28140 | 1 Jenkins | 1 Flaky Test Handler | 2023-11-17 | 5.5 MEDIUM | 8.1 HIGH |
| Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-0861 | 1 Mcafee | 1 Epolicy Orchestrator | 2023-11-15 | 5.5 MEDIUM | 3.8 LOW |
| A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension import functionality. The impact is limited to some access to confidential information and some ability to alter data. | |||||
| CVE-2022-2330 | 2 Mcafee, Microsoft | 2 Data Loss Prevention Endpoint, Windows | 2023-11-15 | N/A | 6.5 MEDIUM |
| Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn't usually have access to via a carefully constructed XML file, which the DLP Agent doesn't parse correctly. | |||||
| CVE-2022-34832 | 1 Vermeg | 1 Agile Reporter | 2023-11-08 | N/A | 6.5 MEDIUM |
| An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component. | |||||
| CVE-2023-30951 | 1 Palantir | 1 Magritte-rest-source-bundle | 2023-11-07 | N/A | 6.5 MEDIUM |
| The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE). | |||||
| CVE-2023-27874 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2023-11-07 | N/A | 8.8 HIGH |
| IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845. | |||||
| CVE-2023-27876 | 1 Ibm | 1 Tririga Application Platform | 2023-11-07 | N/A | 7.1 HIGH |
| IBM TRIRIGA 4.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249975. | |||||
| CVE-2023-26043 | 1 Geosolutionsgroup | 1 Geonode | 2023-11-07 | N/A | 6.5 MEDIUM |
| GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been patched in version 4.0.3. | |||||
| CVE-2023-20174 | 1 Cisco | 1 Identity Services Engine | 2023-11-07 | N/A | 4.9 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2023-20173 | 1 Cisco | 1 Identity Services Engine | 2023-11-07 | N/A | 4.9 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2023-20030 | 1 Cisco | 1 Identity Services Engine | 2023-11-07 | N/A | 6.0 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of confidential information. A successful exploit could also cause the web application to perform arbitrary HTTP requests on behalf of the attacker or consume memory resources to reduce the availability of the web-based management interface. To successfully exploit this vulnerability, an attacker would need valid Super Admin or Policy Admin credentials. | |||||
| CVE-2023-1288 | 1 3ds | 1 Enovia Live Collaboration | 2023-11-07 | N/A | 7.5 HIGH |
| An XML External Entity injection (XXE) vulnerability in ENOVIA Live Collaboration V6R2013xE allows an attacker to read local files on the server. | |||||
| CVE-2022-48565 | 2 Debian, Python | 2 Debian Linux, Python | 2023-11-07 | N/A | 9.8 CRITICAL |
| An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. | |||||
| CVE-2022-43941 | 1 Hitachi | 1 Vantara Pentaho Business Analytics Server | 2023-11-07 | N/A | 6.5 MEDIUM |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference. | |||||
| CVE-2022-43473 | 1 Zohocorp | 3 Manageengine Opmanager, Manageengine Opmanager Msp, Manageengine Opmanager Plus | 2023-11-07 | N/A | 5.4 MEDIUM |
| A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability. | |||||
| CVE-2022-43570 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2023-11-07 | N/A | 6.5 MEDIUM |
| In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error. | |||||
| CVE-2022-39954 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2023-11-07 | N/A | 9.1 CRITICAL |
| An improper restriction of xml external entity reference in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.7, FortiNAC version 9.1.0 through 9.1.8, FortiNAC version 8.8.0 through 8.8.11, FortiNAC version 8.7.0 through 8.7.6, FortiNAC version 8.6.0 through 8.6.5, FortiNAC version 8.5.0 through 8.5.4, FortiNAC version 8.3.7 allows attacker to read arbitrary files or trigger a denial of service via specifically crafted XML documents. | |||||
| CVE-2022-38389 | 1 Ibm | 1 Tivoli Workload Scheduler | 2023-11-07 | N/A | 9.1 CRITICAL |
| IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233975. | |||||
| CVE-2022-2838 | 1 Eclipse | 1 Sphinx | 2023-11-07 | N/A | 5.3 MEDIUM |
| In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests. | |||||