Total
1045 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0272 | 1 Detekt | 1 Detekt | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0. | |||||
| CVE-2022-0221 | 1 Schneider-electric | 1 Scadapack Workbench | 2022-04-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior) | |||||
| CVE-2017-2815 | 1 Igniterealtime | 1 User Import Export | 2022-04-19 | 5.5 MEDIUM | 8.1 HIGH |
| An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. A specially crafted web request can cause the retrieval of arbitrary files or denial of service. An authenticated attacker can send a crafted web request to trigger this vulnerability. | |||||
| CVE-2020-24591 | 1 Wso2 | 5 Api Manager, Api Manager Analytics, Api Microgateway and 2 more | 2022-04-19 | 5.5 MEDIUM | 6.5 MEDIUM |
| The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0. | |||||
| CVE-2021-46365 | 1 Magnolia-cms | 1 Magnolia Cms | 2022-04-19 | 6.8 MEDIUM | 7.8 HIGH |
| An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute XML External Entity attacks via a crafted XLF file. | |||||
| CVE-2019-15637 | 4 Apple, Linux, Microsoft and 1 more | 7 Macos, Linux Kernel, Windows and 4 more | 2022-04-18 | 5.5 MEDIUM | 8.1 HIGH |
| Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop. | |||||
| CVE-2022-1018 | 1 Rockwellautomation | 3 Connected Components Workbench, Isagraf, Safety Instrumented Systems Workstation | 2022-04-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality. | |||||
| CVE-2014-0225 | 2 Pivotal Software, Vmware | 2 Spring Framework, Spring Framework | 2022-04-11 | 6.8 MEDIUM | 8.8 HIGH |
| When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. | |||||
| CVE-2013-6429 | 2 Pivotal Software, Vmware | 2 Spring Framework, Spring Framework | 2022-04-11 | 6.8 MEDIUM | N/A |
| The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315. | |||||
| CVE-2016-9318 | 3 Canonical, Xmlsec Project, Xmlsoft | 3 Ubuntu Linux, Xmlsec, Libxml2 | 2022-04-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. | |||||
| CVE-2021-43142 | 1 Jox Project | 1 Jox | 2022-04-06 | 7.5 HIGH | 9.8 CRITICAL |
| An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput. | |||||
| CVE-2021-33208 | 1 Softwareag | 1 Mashzone Nextgen | 2022-04-05 | 6.5 MEDIUM | 7.2 HIGH |
| The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file. | |||||
| CVE-2021-44477 | 1 Ge | 1 Toolboxst | 2022-04-04 | 5.0 MEDIUM | 7.5 HIGH |
| GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file. | |||||
| CVE-2021-42194 | 1 Eyoucms | 1 Eyoucms | 2022-03-29 | 6.5 MEDIUM | 7.2 HIGH |
| The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (XXE) injection vulnerability. | |||||
| CVE-2022-26661 | 2 Debian, Tryton | 3 Debian Linux, Proteus, Trytond | 2022-03-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system. | |||||
| CVE-2022-22795 | 1 Signiant | 1 Manager\+agents | 2022-03-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and nt/authority on windows systems, which allows him to access and extract any file on the systems, such as passwd, shadow, hosts and so on. By gaining access to these files, attackers can steal sensitive information from the victims machine. | |||||
| CVE-2022-25312 | 1 Apache | 1 Any23 | 2022-03-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Any23 2.7. | |||||
| CVE-2022-24340 | 1 Jetbrains | 1 Teamcity | 2022-03-04 | 7.5 HIGH | 9.8 CRITICAL |
| In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. | |||||
| CVE-2021-46660 | 1 Signiant | 1 Manager\+agents | 2022-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks. | |||||
| CVE-2018-7230 | 1 Schneider-electric | 40 Ibp1110-1er, Ibp1110-1er Firmware, Ibp219-1er and 37 more | 2022-02-02 | 6.8 MEDIUM | 8.8 HIGH |
| A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67. | |||||