Total
1209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-20780 | 1 Cisco | 1 Enterprise Nfv Infrastructure Software | 2024-11-21 | 4.3 MEDIUM | 9.9 CRITICAL |
|
Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. For more information about these vulnerabilities, see the Details section of this advisory.
|
|||||
| CVE-2022-1704 | 1 Inductiveautomation | 1 Ignition | 2024-11-21 | N/A | 7.6 HIGH |
|
Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup.
|
|||||
| CVE-2022-1700 | 1 Forcepoint | 5 Cloud Security Gateway, Data Loss Prevention, Email Security and 2 more | 2024-11-21 | N/A | 7.5 HIGH |
|
Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security with DLP enabled, and Cloud Security Gateway prior to June 20, 2022. The XML parser in the Policy Engine was found to be improperly configured to support external entities and external DTD (Document Type Definitions), which can lead to an XXE attack. This is ...
Show More |
|||||
| CVE-2022-1331 | 1 Deltaww | 1 Dmars | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
In four instances DMARS (All versions prior to v2.1.10.24) does not properly restrict references of XML external entities while processing specific project files, which may allow unauthorized information disclosure.
|
|||||
| CVE-2022-1018 | 1 Rockwellautomation | 3 Connected Components Workbench, Isagraf, Safety Instrumented Systems Workstation | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality.
|
|||||
| CVE-2022-0861 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-11-21 | 5.5 MEDIUM | 3.5 LOW |
|
A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension import functionality. The impact is limited to some access to confidential information and some ability to alter data.
|
|||||
| CVE-2022-0272 | 1 Detekt | 1 Detekt | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0.
|
|||||
| CVE-2022-0265 | 1 Hazelcast | 1 Hazelcast | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1.
|
|||||
| CVE-2022-0239 | 1 Stanford | 1 Corenlp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
corenlp is vulnerable to Improper Restriction of XML External Entity Reference
|
|||||
| CVE-2022-0221 | 1 Schneider-electric | 1 Scadapack Workbench | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior)
|
|||||
| CVE-2022-0219 | 1 Jadx Project | 1 Jadx | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2.
|
|||||
| CVE-2022-0217 | 1 Prosody | 1 Prosody | 2024-11-21 | N/A | 7.5 HIGH |
|
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
|
|||||
| CVE-2022-0198 | 1 Stanford | 1 Corenlp | 2024-11-21 | 5.8 MEDIUM | 7.1 HIGH |
|
corenlp is vulnerable to Improper Restriction of XML External Entity Reference
|
|||||
| CVE-2021-4311 | 1 Talend | 1 Open Studio | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
|
A vulnerability classified as problematic was found in Talend Open Studio for MDM. This vulnerability affects unknown code of the component XML Handler. The manipulation leads to xml external entity reference. The patch is identified as 31d442b9fb1d518128fd18f6e4d54e06c3d67793. It is recommended to apply a patch to fix this issue. VDB-217666 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2021-4295 | 1 Healthit | 1 Code-validator-api | 2024-11-21 | N/A | 5.5 MEDIUM |
|
A vulnerability classified as problematic was found in ONC code-validator-api up to 1.0.30. This vulnerability affects the function vocabularyValidationConfigurations of the file src/main/java/org/sitenv/vocabularies/configuration/CodeValidatorApiConfiguration.java of the component XML Handler. The manipulation leads to xml external entity reference. Upgrading to version 1.0.31 is able to address this issue. The name of the patch is fbd8ea121755a2d3d116b13f235bc8b61d8449af. It is recommended to ...
Show More |
|||||
| CVE-2021-47621 | 2024-11-21 | N/A | 7.5 HIGH | ||
|
ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.
|
|||||
| CVE-2021-46660 | 1 Signiant | 1 Manager\+agents | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.
|
|||||
| CVE-2021-46365 | 1 Magnolia-cms | 1 Magnolia Cms | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute XML External Entity attacks via a crafted XLF file.
|
|||||
| CVE-2021-45981 | 1 Netscout | 1 Ngeniusone | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
NetScout nGeniusONE 6.3.2 allows an XML External Entity (XXE) attack.
|
|||||
| CVE-2021-45096 | 1 Knime | 1 Knime Analytics Platform | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
|
KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730.
|
|||||
| CVE-2021-45024 | 1 Rocketsoftware | 1 Ags-zena | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE).
|
|||||
| CVE-2021-44557 | 1 Kb | 1 Multiner | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
National Library of the Netherlands multiNER <= c0440948057afc6e3d6b4903a7c05e666b94a3bc is affected by an XML External Entity (XXE) vulnerability in multiNER/ner.py. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS.
|
|||||
| CVE-2021-44556 | 1 Kb | 1 Digger | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
National Library of the Netherlands digger < 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS.
|
|||||
| CVE-2021-44477 | 1 Ge | 1 Toolboxst | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file.
|
|||||
| CVE-2021-44147 | 1 Claris | 2 Filemaker Pro, Filemaker Server | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forgery attacks.
|
|||||
| CVE-2021-44028 | 1 Quest | 1 Kace Desktop Authority | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
XXE can occur in Quest KACE Desktop Authority before 11.2 because the log4net configuration file might be controlled by an attacker, a related issue to CVE-2018-1285.
|
|||||
| CVE-2021-43990 | 1 Fanuc | 1 Roboguide | 2024-11-21 | 2.6 LOW | 6.1 MEDIUM |
|
The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call.
|
|||||
| CVE-2021-43577 | 1 Jenkins | 1 Owasp Dependency-check | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2021-43576 | 1 Jenkins | 1 Pom2config | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
|
|||||
| CVE-2021-43142 | 1 Jox Project | 1 Jox | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput.
|
|||||
| CVE-2021-43090 | 1 Predic8 | 1 Soa Model | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An XML External Entity (XXE) vulnerability exists in soa-model before 1.6.4 in the WSDLParser function.
|
|||||
| CVE-2021-42776 | 1 Cloverdx | 1 Cloverdx | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
|
CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import.
|
|||||
| CVE-2021-42646 | 1 Wso2 | 3 Api Manager, Identity Server, Identity Server As Key Manager | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.
|
|||||
| CVE-2021-42560 | 1 Mitre | 1 Caldera | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.).
|
|||||
| CVE-2021-42194 | 1 Eyoucms | 1 Eyoucms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (XXE) injection vulnerability.
|
|||||
| CVE-2021-41770 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.
|
|||||
| CVE-2021-41411 | 1 Redhat | 1 Drools | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.
|
|||||
| CVE-2021-41098 | 1 Nokogiri | 1 Nokogiri | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML:: ...
Show More |
|||||
| CVE-2021-41042 | 1 Eclipse | 1 Lyo | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
|
|||||
| CVE-2021-40722 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE.
|
|||||