Total
1045 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-9488 | 1 Trendmicro | 2 Deep Security Manager, Vulnerability Protection | 2019-09-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| Trend Micro Deep Security Manager (10.x, 11.x) and Vulnerability Protection (2.0) are vulnerable to a XML External Entity Attack. However, for the attack to be possible, the attacker must have root/admin access to a protected host which is authorized to communicate with the Deep Security Manager (DSM). | |||||
| CVE-2018-1000835 | 1 Keepassdx | 1 Keepass Dx | 2019-09-12 | 7.5 HIGH | 10.0 CRITICAL |
| KeePassDX version <= 2.5.0.0beta17 contains a XML External Entity (XXE) vulnerability in kdbx file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. | |||||
| CVE-2018-1000837 | 1 Obeo | 1 Uml Designer | 2019-09-11 | 7.5 HIGH | 10.0 CRITICAL |
| UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious plugins.xml file. | |||||
| CVE-2019-16174 | 1 Limesurvey | 1 Limesurvey | 2019-09-10 | 6.8 MEDIUM | 8.8 HIGH |
| An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity. | |||||
| CVE-2019-15641 | 1 Webmin | 1 Webmin | 2019-08-30 | 6.8 MEDIUM | 6.5 MEDIUM |
| xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi. | |||||
| CVE-2019-14258 | 1 Zenoss | 1 Zenoss | 2019-08-30 | 5.0 MEDIUM | 7.5 HIGH |
| The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988. | |||||
| CVE-2019-13176 | 1 3cx | 1 3cx | 2019-08-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS). | |||||
| CVE-2019-13031 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2019-08-26 | 6.8 MEDIUM | 8.1 HIGH |
| LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule. | |||||
| CVE-2018-14383 | 1 Ttpsc | 1 The Scheduler | 2019-08-14 | 5.0 MEDIUM | 7.5 HIGH |
| The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. It was fixed in the versions 5.2.1 and 3.3.7 | |||||
| CVE-2017-18438 | 1 Cpanel | 1 Cpanel | 2019-08-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls (SEC-242). | |||||
| CVE-2019-1010202 | 1 Jeesite | 1 Jeesite | 2019-08-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is: sensitive information disclosure. The component is: convertToModel() function in src/main/java/com.thinkgem.jeesite/modules/act/service/ActProcessService.java. The attack vector is: network connectivity,authenticated,must upload a specially crafted xml file. The fixed version is: 4.0 and later. | |||||
| CVE-2019-10264 | 1 Ahsay | 1 Cloud Backup Suite | 2019-07-31 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE. | |||||
| CVE-2019-10266 | 1 Ahsay | 1 Cloud Backup Suite | 2019-07-31 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a URL, it is possible to read the file structure and even the content of files without authentication. | |||||
| CVE-2017-6662 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2019-07-29 | 6.0 MEDIUM | 8.0 HIGH |
| A vulnerability in the web-based user interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker read and write access to information stored in the affected system as well as perform remote code execution. The attacker must have valid user credentials. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file with malicious entries which could allow the attacker to read and write files and execute remote code within the application, aka XML Injection. Cisco Prime Infrastructure software releases 1.1 through 3.1.6 are vulnerable. Cisco EPNM software releases 1.2, 2.0, and 2.1 are vulnerable. Cisco Bug IDs: CSCvc23894 CSCvc49561. | |||||
| CVE-2019-1010268 | 1 Ladon Project | 1 Ladon | 2019-07-24 | 7.5 HIGH | 9.8 CRITICAL |
| Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call. | |||||
| CVE-2019-7847 | 3 Adobe, Linux, Microsoft | 3 Campaign, Linux Kernel, Windows | 2019-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user. | |||||
| CVE-2019-13625 | 1 Nsa | 1 Ghidra | 2019-07-19 | 9.4 HIGH | 9.1 CRITICAL |
| NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file. | |||||
| CVE-2018-17152 | 1 Intersystems | 1 Cache | 2019-07-12 | 5.5 MEDIUM | 6.4 MEDIUM |
| Intersystems Cache 2017.2.2.865.0 allows XXE. | |||||
| CVE-2015-3907 | 1 Codeigniter-restserver Project | 1 Codeigniter-restserver | 2019-07-11 | 7.5 HIGH | 9.8 CRITICAL |
| CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE attacks. | |||||
| CVE-2016-6256 | 1 Sap | 1 Business One | 2019-07-08 | 6.8 MEDIUM | 9.6 CRITICAL |
| SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065. | |||||