Total
1045 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-8532 | 1 Microsoft | 1 Sql Server Management Studio | 2018-11-27 | 4.3 MEDIUM | 5.5 MEDIUM |
| An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XMLA file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8527, CVE-2018-8533. | |||||
| CVE-2018-8533 | 1 Microsoft | 1 Sql Server Management Studio | 2018-11-27 | 4.3 MEDIUM | 5.5 MEDIUM |
| An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing malicious XML content containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8527, CVE-2018-8532. | |||||
| CVE-2018-8420 | 1 Microsoft | 4 Windows 10, Windows 7, Windows 8.1 and 1 more | 2018-11-19 | 9.3 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka "MS XML Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | |||||
| CVE-2017-17762 | 1 Episerver | 1 Episerver | 2018-11-08 | 5.0 MEDIUM | 7.5 HIGH |
| XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx. | |||||
| CVE-2018-1000644 | 1 Eclipse | 1 Rdf4j | 2018-11-01 | 7.5 HIGH | 10.0 CRITICAL |
| Eclipse RDF4j version < 2.4.0 Milestone 2 contains a XML External Entity (XXE) vulnerability in RDF4j XML parser parsing RDF files that can result in the disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted RDF file. | |||||
| CVE-2018-1000651 | 1 Gchq | 1 Stroom | 2018-11-01 | 7.5 HIGH | 10.0 CRITICAL |
| Stroom version <5.4.5 contains a XML External Entity (XXE) vulnerability in XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted XML file. | |||||
| CVE-2016-7459 | 1 Vmware | 1 Vcenter Server | 2018-10-30 | 4.0 MEDIUM | 7.7 HIGH |
| VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2018-1000652 | 1 Jabref | 1 Jabref | 2018-10-23 | 7.5 HIGH | 10.0 CRITICAL |
| JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnerability in MsBibImporter XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted MsBib file. This vulnerability appears to have been fixed in after commit 89f855d. | |||||
| CVE-2018-11719 | 1 Xovis | 6 Pc2, Pc2 Firmware, Pc2r and 3 more | 2018-10-22 | 4.0 MEDIUM | 4.9 MEDIUM |
| Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow XXE. | |||||
| CVE-2016-4047 | 1 Open-xchange | 1 Open-xchange Appsuite | 2018-10-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result an attacker can track access to a manipulated document. Usage of a document may get tracked and information about internal infrastructure may get exposed. | |||||
| CVE-2018-13417 | 1 Vuze | 1 Bittorrent Client | 2018-10-18 | 7.5 HIGH | 9.8 CRITICAL |
| In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Vuze, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2018-13415 | 1 Plex | 1 Media Server | 2018-10-18 | 7.5 HIGH | 9.8 CRITICAL |
| In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Plex, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2018-13416 | 1 Spirton | 1 Universal Media Server | 2018-10-17 | 7.5 HIGH | 9.8 CRITICAL |
| In Universal Media Server (UMS) 7.1.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running UMS, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2016-8526 | 1 Hp | 1 Airwave | 2018-10-16 | 4.0 MEDIUM | 8.8 HIGH |
| Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation. | |||||
| CVE-2016-4312 | 1 Wso2 | 1 Identity Server | 2018-10-09 | 6.0 MEDIUM | 7.5 HIGH |
| XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials. | |||||
| CVE-2015-7326 | 1 Milton | 1 Webdav | 2018-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3. | |||||
| CVE-2015-7241 | 1 Sap | 1 Netweaver | 2018-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. | |||||
| CVE-2018-14473 | 1 Ocsinventory-ng | 1 Ocsinventory Ng | 2018-10-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service. | |||||
| CVE-2014-2296 | 1 Apereo | 1 Cas Server | 2018-09-19 | 6.8 MEDIUM | 8.8 HIGH |
| XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data. | |||||
| CVE-2018-14065 | 1 Phpoffice Project | 1 Common | 2018-09-12 | 7.5 HIGH | 9.8 CRITICAL |
| XMLReader.php in PHPOffice Common before 0.2.9 allows XXE. | |||||