Total
1209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27777 | 1 Hcltech | 1 Unica | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references.
|
|||||
| CVE-2021-27741 | 1 Hcltechsw | 1 Hcl Commerce | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
" Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection"
|
|||||
| CVE-2021-27736 | 1 Fusionauth | 1 Saml V2 | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.
|
|||||
| CVE-2021-27635 | 1 Sap | 1 Netweaver Application Server For Java | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compr ...
Show More |
|||||
| CVE-2021-27604 | 1 Sap | 1 Netweaver Process Integration | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note.
|
|||||
| CVE-2021-27492 | 3 Datakit, Luxion, Siemens | 6 Crosscadware, Keyshot, Solid Edge Se2020 and 3 more | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
When opening a specially crafted 3DXML file, the application containing Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external DTD.
|
|||||
| CVE-2021-27184 | 1 Pelco | 1 Digital Sentry Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\Pelco directory) when DSControlPoint.exe is executed.
|
|||||
| CVE-2021-26969 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Due to improper restrictions on XML entities a vulnerability exists in the web-based management interface of AirWave. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition.
|
|||||
| CVE-2021-26703 | 1 Eprints | 1 Eprints | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI.
|
|||||
| CVE-2021-25951 | 1 Xml2dict Project | 1 Xml2dict | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service.
|
|||||
| CVE-2021-25165 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
|
|||||
| CVE-2021-25164 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
|
|||||
| CVE-2021-25163 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
|
|||||
| CVE-2021-23901 | 2 Apache, Netapp | 2 Nutch, Snap Creator Framework | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in ...
Show More |
|||||
| CVE-2021-23899 | 1 Owasp | 1 Json-sanitizer | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.
|
|||||
| CVE-2021-23792 | 1 Twelvemonkeys Project | 1 Twelvemonkeys | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
|
|||||
| CVE-2021-23463 | 1 H2database | 1 H2 | 2024-11-21 | 6.4 MEDIUM | 8.1 HIGH |
|
The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.
|
|||||
| CVE-2021-23418 | 1 Glances Project | 1 Glances | 2024-11-21 | 7.5 HIGH | 6.3 MEDIUM |
|
The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.
|
|||||
| CVE-2021-22523 | 1 Microfocus | 1 Verastream Host Integrator | 2024-11-21 | 6.8 MEDIUM | 7.6 HIGH |
|
XML External Entity vulnerability in Micro Focus Verastream Host Integrator, affecting version 7.8 Update 1 and earlier versions. The vulnerability could allow the control of web browser and hijacking user sessions.
|
|||||
| CVE-2021-22498 | 1 Microfocus | 1 Application Lifecycle Management | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML External Entity Injection.
|
|||||
| CVE-2021-22338 | 1 Huawei | 2 Ecns280, Ecns280 Firmware | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
There is an XXE injection vulnerability in eCNS280 V100R005C00 and V100R005C10. A module does not perform the strict operation to the input XML message. Attacker can send specific message to exploit this vulnerability, leading to the module denial of service.
|
|||||
| CVE-2021-22158 | 1 Proofpoint | 1 Insider Threat Management | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. The vulnerability requires admin user privileges and knowledge of the XML file's encryption key to successfully exploit. All versions before 7.11 are affected.
|
|||||
| CVE-2021-22140 | 1 Elastic | 1 Elastic App Search | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.
|
|||||
| CVE-2021-21701 | 1 Jenkins | 1 Performance | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2021-21680 | 1 Jenkins | 1 Nested View | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2021-21672 | 1 Jenkins | 1 Selenium Html Report | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2021-21642 | 1 Jenkins | 1 Config File Provider | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2021-21517 | 1 Dell | 1 Emc Srs Policy Manager | 2024-11-21 | 6.4 MEDIUM | 7.2 HIGH |
|
SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. A remote unauthenticated attacker can potentially exploit this vulnerability to read system files as a non-root user and may be able to temporarily disrupt the ESRS service.
|
|||||
| CVE-2021-21470 | 1 Sap | 1 Enterprise Performance Management | 2024-11-21 | 3.6 LOW | 4.4 MEDIUM |
|
SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. This occurs as logging service does not disable XML external entities when parsing configuration files and a successful exploit would result in limited impact on integrity and availability of t ...
Show More |
|||||
| CVE-2021-21266 | 1 Openhab | 1 Openhab | 2024-11-21 | 4.0 MEDIUM | 6.4 MEDIUM |
|
openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB before versions 2.5.12 and 3.0.1 the XML external entity (XXE) attack allows attackers in the same network as the openHAB instance to retrieve internal information like the content of files from the file system. Responses to SSDP requests can be especially malicious. All add-ons that use SAX or JAXB parsing of externally received XML are potentially subject to this kind of attack. In openHAB, th ...
Show More |
|||||
| CVE-2021-20839 | 1 Antennahouse | 1 Office Server Document Converter | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition to the other servers by processing a specially crafted XML document.
|
|||||
| CVE-2021-20838 | 1 Antennahouse | 1 Office Server Document Converter | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition by processing a specially crafted XML document.
|
|||||
| CVE-2021-20801 | 1 Cybozu | 1 Remote Service Manager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. This issue occurs only when using Mozilla Firefox.
|
|||||
| CVE-2021-20595 | 1 Mitsubishi | 38 Ae-200a, Ae-200a Firmware, Ae-200e and 35 more | 2024-11-21 | 8.5 HIGH | 8.2 HIGH |
|
Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35 and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 and prior, AG-150A-J Ver.3.20 and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J Ver.3.20 and prior, EB-50GU-A Ver 7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-200A Ver 7.93 and prior, AE-200E Ver 7.93 and prior, AE-50A Ver 7.93 and prior, AE-50E Ver 7.93 ...
Show More |
|||||
| CVE-2021-20502 | 1 Ibm | 6 Engineering Insights, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 3 more | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 198059.
|
|||||
| CVE-2021-20492 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.
|
|||||
| CVE-2021-20482 | 1 Ibm | 1 Cloud Pak For Automation | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM Cloud Pak for Automation 20.0.2 and 20.0.3 IF002 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197504.
|
|||||
| CVE-2021-20454 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196649.
|
|||||
| CVE-2021-20453 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196648.
|
|||||
| CVE-2021-20399 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196073.
|
|||||