Total
1045 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-7722 | 1 Pmd Project | 1 Pmd | 2019-02-21 | 6.8 MEDIUM | 8.1 HIGH |
| PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.) | |||||
| CVE-2018-1000889 | 1 Logisim-evolution Project | 1 Logisim-evolution | 2019-02-13 | 6.8 MEDIUM | 8.8 HIGH |
| Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in information leak, possible RCE depending on system configuration. This attack appears to be exploitable via the victim opening a specially crafted circuit file. This vulnerability appears to have been fixed in 2.14.4. | |||||
| CVE-2018-11788 | 1 Apache | 1 Karaf | 2019-02-12 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases. | |||||
| CVE-2018-1000836 | 1 Apereo | 1 Bw-calendar-engine | 2019-02-07 | 6.8 MEDIUM | 9.0 CRITICAL |
| bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server. | |||||
| CVE-2018-1000829 | 1 Anyplace Project | 1 Anyplace | 2019-02-07 | 6.8 MEDIUM | 9.0 CRITICAL |
| Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 80359b4. | |||||
| CVE-2018-1000840 | 1 Processing | 1 Processing | 2019-02-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document. | |||||
| CVE-2018-20233 | 1 Atlassian | 1 Universal Plugin Manager | 2019-02-06 | 5.5 MEDIUM | 6.5 MEDIUM |
| The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR. | |||||
| CVE-2018-15362 | 1 Ge | 1 Cimplicity | 2019-02-06 | 6.4 MEDIUM | 9.1 CRITICAL |
| XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0 | |||||
| CVE-2018-7063 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2019-02-05 | 6.8 MEDIUM | 8.1 HIGH |
| In Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts. | |||||
| CVE-2018-20298 | 1 S3browser | 1 S3 Browser | 2019-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a malicious server via the S3 protocol. | |||||
| CVE-2018-20733 | 6 Hpe, Ibm, Linux and 3 more | 6 Hp-ux Ipfilter, Aix, Linux Kernel and 3 more | 2019-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| BI Web Services in SAS Web Infrastructure Platform before 9.4M6 allows XXE. | |||||
| CVE-2018-7837 | 1 Schneider-electric | 1 Iiot Monior | 2019-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| An Improper Restriction of XML External Entity Reference ('XXE') vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents outside of the intended sphere of control, causing the software to embed incorrect documents into its output and expose restricted information. | |||||
| CVE-2018-19244 | 1 Charlesproxy | 1 Charles | 2019-02-01 | 5.0 MEDIUM | 8.6 HIGH |
| An XML External Entity (XXE) vulnerability exists in the Charles 4.2.7 import/export setup option. If a user imports a "Charles Settings.xml" file from an attacker, an intranet network may be accessed and information may be leaked. | |||||
| CVE-2018-17186 | 1 Apache | 1 Syncope | 2019-01-31 | 6.5 MEDIUM | 7.2 HIGH |
| An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution. | |||||
| CVE-2019-5748 | 1 Traccar | 1 Server | 2019-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks. | |||||
| CVE-2018-18980 | 1 Zohocorp | 2 Manageengine Network Configuration Manager, Manageengine Opmanager | 2019-01-30 | 5.0 MEDIUM | 7.5 HIGH |
| An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server. | |||||
| CVE-2018-16166 | 1 Jpcert | 1 Logontracer | 2019-01-25 | 6.8 MEDIUM | 8.8 HIGH |
| LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | |||||
| CVE-2018-19371 | 1 Sdl | 1 Web Content Manager | 2019-01-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| The SaveUserSettings service in Content Manager in SDL Web 8.5.0 has an XXE Vulnerability that allows reading sensitive files from the system. | |||||
| CVE-2018-20000 | 1 Apereo | 1 Bw-webdav | 2019-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java. | |||||
| CVE-2018-20318 | 1 Wxjava Project | 1 Wxjava | 2019-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. | |||||