Total
1209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26058 | 1 Nokia | 1 Netact | 2025-02-04 | N/A | 6.5 MEDIUM |
|
An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.
|
|||||
| CVE-2023-26057 | 1 Nokia | 1 Netact | 2025-02-04 | N/A | 6.5 MEDIUM |
|
An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.
|
|||||
| CVE-2023-29443 | 1 Zohocorp | 4 Manageengine Assetexplorer, Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp and 1 more | 2025-02-03 | N/A | 4.9 MEDIUM |
|
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.
|
|||||
| CVE-2023-27527 | 1 Touki-kyoutaku-online | 1 Shinseiyo Sogo Soft | 2025-01-28 | N/A | 7.5 HIGH |
|
Shinseiyo Sogo Soft (7.9A) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker.
|
|||||
| CVE-2024-25971 | 1 Dell | 1 Powerprotect Data Manager | 2025-01-27 | N/A | 5.5 MEDIUM |
|
Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information disclosure, denial-of-service.
|
|||||
| CVE-2023-27554 | 1 Ibm | 1 Websphere Application Server | 2025-01-24 | N/A | 6.3 MEDIUM |
|
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249185.
|
|||||
| CVE-2024-5919 | 1 Paloaltonetworks | 1 Pan-os | 2025-01-24 | N/A | 6.5 MEDIUM |
|
A blind XML External Entities (XXE) injection vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker to exfiltrate arbitrary files from firewalls to an attacker controlled server. This attack requires network access to the firewall management interface.
|
|||||
| CVE-2024-49535 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2025-01-23 | N/A | 6.3 MEDIUM |
|
Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that allows an attacker to provide malicious XML input containing a reference to an external entity, potentially leading to unauthorized read access outside the Acrobat sandbox. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document.
|
|||||
| CVE-2024-42185 | 2025-01-23 | N/A | 2.5 LOW | ||
|
BigFix Patch Download Plug-ins are affected by an insecure package which is susceptible to XML injection attacks. This allows an attacker to exploit this vulnerability by injecting malicious XML content, which can lead to various issues including denial of service and unauthorized access.
|
|||||
| CVE-2024-3486 | 1 Microfocus | 1 Imanager | 2025-01-21 | N/A | 7.8 HIGH |
|
XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. This could lead to information disclosure and remote code execution.
|
|||||
| CVE-2024-3969 | 1 Microfocus | 1 Imanager | 2025-01-21 | N/A | 7.8 HIGH |
|
XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. This could lead to remote code execution by parsing untrusted XML payload
|
|||||
| CVE-2022-46300 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | N/A | 5.5 MEDIUM |
|
Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
|
|||||
| CVE-2022-45468 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | N/A | 5.5 MEDIUM |
|
Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
|
|||||
| CVE-2022-45121 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | N/A | 5.5 MEDIUM |
|
Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
|
|||||
| CVE-2022-43512 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | N/A | 5.5 MEDIUM |
|
Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
|
|||||
| CVE-2022-41696 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | N/A | 5.5 MEDIUM |
|
Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
|
|||||
| CVE-2022-45876 | 1 Visam | 1 Vbase | 2025-01-17 | N/A | 5.5 MEDIUM |
|
Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
|
|||||
| CVE-2022-41221 | 1 Opentext | 1 Archive Center Administration | 2025-01-17 | N/A | 7.1 HIGH |
|
The client in OpenText Archive Center Administration through 21.2 allows XXE attacks. Authenticated users of the OpenText Archive Center Administration client (Versions 16.2.3, 21.2, and older versions) could upload XML files to the application that it did not sufficiently validate. As a result, attackers could craft XML files that, when processed by the application, would cause a negative security impact such as data exfiltration or localized denial of service against the application instance a ...
Show More |
|||||
| CVE-2024-12476 | 2025-01-17 | N/A | 7.8 HIGH | ||
|
CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could
cause information disclosure, impacts workstation integrity and potential remote code execution on the
compromised computer, when specific crafted XML file is imported in the Web Designer configuration tool.
|
|||||
| CVE-2024-4357 | 1 Progress | 1 Telerik Reporting | 2025-01-16 | N/A | 6.5 MEDIUM |
|
An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing.
|
|||||
| CVE-2024-12298 | 2025-01-14 | N/A | 5.5 MEDIUM | ||
|
We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer.
|
|||||
| CVE-2024-30043 | 1 Microsoft | 1 Sharepoint Server | 2025-01-08 | N/A | 6.5 MEDIUM |
|
Microsoft SharePoint Server Information Disclosure Vulnerability
|
|||||
| CVE-2023-34411 | 1 Xml Library Project | 1 Xml Library | 2025-01-08 | N/A | 7.5 HIGH |
|
The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9.
|
|||||
| CVE-2024-49064 | 1 Microsoft | 1 Sharepoint Server | 2025-01-08 | N/A | 6.5 MEDIUM |
|
Microsoft SharePoint Information Disclosure Vulnerability
|
|||||
| CVE-2023-24470 | 1 Microfocus | 1 Arcsight Logger | 2025-01-06 | N/A | 9.1 CRITICAL |
|
Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0.
|
|||||
| CVE-2023-29498 | 1 Fujielectric | 1 Frenic Rhc Loader | 2025-01-03 | N/A | 5.5 MEDIUM |
|
Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. If a user opens a specially crafted project file, sensitive information on the system where the affected product is installed may be disclosed.
|
|||||
| CVE-2024-55081 | 2025-01-02 | N/A | 9.8 CRITICAL | ||
|
An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input.
|
|||||
| CVE-2024-56356 | 1 Jetbrains | 1 Teamcity | 2025-01-02 | N/A | 5.9 MEDIUM |
|
In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack
|
|||||
| CVE-2021-22501 | 2024-12-19 | N/A | N/A | ||
|
Improper Restriction of XML External Entity Reference vulnerability in OpenText™ Operations Bridge Manager allows Input Data Manipulation.
The vulnerability could be exploited to confidential information
This issue affects Operations Bridge Manager: 2017.05, 2017.11, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10.
|
|||||
| CVE-2024-31139 | 1 Jetbrains | 1 Teamcity | 2024-12-16 | N/A | 5.9 MEDIUM |
|
In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector
|
|||||
| CVE-2023-25926 | 3 Ibm, Linux, Microsoft | 4 Aix, Security Guardium Key Lifecycle Manager, Linux Kernel and 1 more | 2024-12-13 | N/A | 5.5 MEDIUM |
|
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 247599.
|
|||||
| CVE-2024-55887 | 2024-12-13 | N/A | 8.6 HIGH | ||
|
Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiat ...
Show More |
|||||
| CVE-2024-55875 | 2024-12-13 | N/A | 9.8 CRITICAL | ||
|
http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. Version 5.41.0.0 contains a patch for the issue.
|
|||||
| CVE-2024-11622 | 1 Hpe | 1 Insight Remote Support | 2024-12-12 | N/A | 7.3 HIGH |
|
An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.
|
|||||
| CVE-2024-53674 | 1 Hpe | 1 Insight Remote Support | 2024-12-12 | N/A | 7.3 HIGH |
|
An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.
|
|||||
| CVE-2024-53675 | 1 Hpe | 1 Insight Remote Support | 2024-12-12 | N/A | 7.3 HIGH |
|
An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.
|
|||||
| CVE-2024-46455 | 2024-12-12 | N/A | 9.8 CRITICAL | ||
|
unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.
|
|||||
| CVE-2024-25606 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-11 | N/A | 8.0 HIGH |
|
XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.
|
|||||
| CVE-2024-8602 | 2024-12-11 | N/A | N/A | ||
|
When the XML is read from the codes in the PDF and parsed using a DocumentBuilder, the default settings of the DocumentBuilder allow for an XXE (XML External Entity) attack. Further information on this can be found on the website of the Open Worldwide Application Security Project (OWASP). An attacker could theoretically leverage this by delivering a manipulated PDF file to the target, and depending on the environment, various actions can be executed. These actions include:
* Reading files fr ...
Show More |
|||||
| CVE-2024-54005 | 2024-12-10 | N/A | 5.1 MEDIUM | ||
|
A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions < V10.4.3.0.47), COMOS V10.4.4 (All versions < V10.4.4.2), COMOS V10.4.4.1 (All versions < V10.4.4.1.21). The PDMS/E3D Engineering Interface improperly handles XML External Entity (XXE) entries when communicating with an external application. This could allow an attacker to extract any file with a kn ...
Show More |
|||||