Total
1209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-32458 | 1 Digiwin | 1 Business Process Management | 2024-11-21 | N/A | 7.5 HIGH |
|
Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.
|
|||||
| CVE-2022-32285 | 1 Mendix | 1 Saml | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances.
|
|||||
| CVE-2022-31775 | 1 Ibm | 1 Datapower Gateway | 2024-11-21 | N/A | 9.1 CRITICAL |
|
IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359.
|
|||||
| CVE-2022-31471 | 1 Untangle Project | 1 Untangle | 2024-11-21 | N/A | 7.5 HIGH |
|
untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files.
|
|||||
| CVE-2022-31447 | 1 Magicpin | 1 Magicpin | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An XML external entity (XXE) injection vulnerability in Magicpin v3.4 allows attackers to access sensitive database information via a crafted SVG file.
|
|||||
| CVE-2022-31261 | 1 Morpheusdata | 1 Morpheus | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker can send a request crafted with an XXE payload to invoke a malicious DTD hosted on a system that they control. This results in reading local files that the application has access to.
|
|||||
| CVE-2022-30971 | 1 Jenkins | 1 Storable Configs | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-2838 | 1 Eclipse | 1 Sphinx | 2024-11-21 | N/A | 5.3 MEDIUM |
|
In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.
|
|||||
| CVE-2022-2759 | 1 Deltaww | 1 Delta Robot Automation Studio | 2024-11-21 | N/A | 5.5 MEDIUM |
|
Delta Electronics Delta Robot Automation Studio (DRAS) versions prior to 1.13.20 are affected by improper restrictions where the software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. This may allow an attacker to view sensitive documents and information on the affected host.
|
|||||
| CVE-2022-2458 | 1 Redhat | 1 Process Automation Manager | 2024-11-21 | N/A | 8.2 HIGH |
|
XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external ent ...
Show More |
|||||
| CVE-2022-2414 | 1 Dogtagpki | 1 Dogtagpki | 2024-11-21 | N/A | 7.5 HIGH |
|
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
|
|||||
| CVE-2022-2330 | 2 Mcafee, Microsoft | 2 Data Loss Prevention Endpoint, Windows | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn't usually have access to via a carefully constructed XML file, which the DLP Agent doesn't parse correctly.
|
|||||
| CVE-2022-2131 | 1 Openkm | 1 Openkm | 2024-11-21 | N/A | 8.5 HIGH |
|
OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection attack.
|
|||||
| CVE-2022-29943 | 1 Talend | 1 Administration Center | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
|
Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.
|
|||||
| CVE-2022-29801 | 1 Siemens | 1 Teamcenter | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.
|
|||||
| CVE-2022-29265 | 1 Apache | 1 Nifi | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to mal ...
Show More |
|||||
| CVE-2022-28890 | 1 Apache | 1 Jena | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.
|
|||||
| CVE-2022-28219 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.
|
|||||
| CVE-2022-28155 | 1 Jenkins | 1 Pipeline\ | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-28154 | 1 Jenkins | 1 Coverage\/complexity Scatter Plot | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-28140 | 1 Jenkins | 1 Flaky Test Handler | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-27873 | 1 Autodesk | 1 Fusion 360 | 2024-11-21 | N/A | 7.8 HIGH |
|
An attacker can force the victim’s device to perform arbitrary HTTP requests in WAN through a malicious SVG file being parsed by Autodesk Fusion 360’s document parser. The vulnerability exists in the application’s ‘Insert SVG’ procedure. An attacker can also leverage this vulnerability to obtain victim’s public IP and possibly other sensitive information.
|
|||||
| CVE-2022-27193 | 1 Cvrf-csaf-converter Project | 1 Cvrf-csaf-converter | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.
|
|||||
| CVE-2022-26661 | 2 Debian, Tryton | 3 Debian Linux, Proteus, Trytond | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.
|
|||||
| CVE-2022-25312 | 1 Apache | 1 Any23 | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This ...
Show More |
|||||
| CVE-2022-25209 | 1 Jenkins | 1 Chef Sinatra | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-24898 | 1 Xwiki | 1 Commons | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and ...
Show More |
|||||
| CVE-2022-24449 | 1 Rt-solar | 1 Solar Appscreener | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.
|
|||||
| CVE-2022-24340 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible.
|
|||||
| CVE-2022-23640 | 1 Excel Streaming Reader Project | 1 Excel Streaming Reader | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround.
|
|||||
| CVE-2022-23170 | 1 Sysaid | 1 Okta Sso | 2024-11-21 | 6.8 MEDIUM | 5.9 MEDIUM |
|
SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows ...
Show More |
|||||
| CVE-2022-23031 | 1 F5 | 3 Big-ip Advanced Web Application Firewall, Big-ip Application Security Manager, Big-ip Fraud Protection Service | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. Note: Software versions which ha ...
Show More |
|||||
| CVE-2022-22977 | 2 Microsoft, Vmware | 2 Windows, Tools | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
|
VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure.
|
|||||
| CVE-2022-22835 | 1 Overit | 1 Geocall | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
|
An issue was discovered in OverIT Geocall before version 8.0. An authenticated user who has the Test Trasformazione XSL functionality enabled can exploit a XXE vulnerability to read arbitrary files from the filesystem.
|
|||||
| CVE-2022-22795 | 1 Signiant | 1 Manager\+agents | 2024-11-21 | 6.4 MEDIUM | 6.8 MEDIUM |
|
Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and nt/authority on windows systems, which allows him to access and extract any file on the systems, such as passwd, shadow, hosts and so on. By gaining access to these files, attackers can steal sensitive information from the victims machine.
|
|||||
| CVE-2022-22774 | 1 Tibco | 2 Managed File Transfer Command Center, Managed File Transfer Internet Server | 2024-11-21 | 6.4 MEDIUM | 8.6 HIGH |
|
The DOM XML parser and SAX XML parser components of TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Internet Server, and TIBCO Managed File Transfer Internet Server contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute XML External Entity (XXE) attacks on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Managed File Transfer ...
Show More |
|||||
| CVE-2022-22489 | 3 Ibm, Linux, Microsoft | 3 Mq, Linux Kernel, Windows | 2024-11-21 | N/A | 9.1 CRITICAL |
|
IBM MQ 8.0, (9.0, 9.1, 9.2 LTS), and (9.1 and 9.2 CD) are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226339.
|
|||||
| CVE-2022-22486 | 1 Ibm | 1 Tivoli Workload Scheduler | 2024-11-21 | N/A | 10.0 CRITICAL |
|
IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226328.
|
|||||
| CVE-2022-22358 | 1 Ibm | 2 Partner Engagement Manager, Partner Engagement Manager On Cloud\/saas | 2024-11-21 | N/A | 7.1 HIGH |
|
IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 220651.
|
|||||
| CVE-2022-21949 | 1 Opensuse | 1 Open Build Service | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.
|
|||||