Total
1209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25215 | 1 Yworks | 1 Yed | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
yWorks yEd Desktop before 3.20.1 allows XXE attacks via an XML or GraphML document.
|
|||||
| CVE-2020-25186 | 1 We-con | 1 Levistudiou | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure.
|
|||||
| CVE-2020-24656 | 1 Maltego | 1 Maltego | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Maltego before 4.2.12 allows XXE attacks.
|
|||||
| CVE-2020-24591 | 1 Wso2 | 5 Api Manager, Api Manager Analytics, Api Microgateway and 2 more | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.
|
|||||
| CVE-2020-24589 | 1 Wso2 | 2 Api Manager, Api Microgateway | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.
|
|||||
| CVE-2020-24454 | 1 Intel | 1 Quartus Prime | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may allow unauthenticated user to potentially enable information disclosure via network access.
|
|||||
| CVE-2020-24379 | 3 Canonical, Debian, Yaws | 3 Ubuntu Linux, Debian Linux, Yaws | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.
|
|||||
| CVE-2020-24052 | 1 Moog | 4 Exvf5c-2, Exvf5c-2 Firmware, Exvp7c2-3 and 1 more | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition (DTD) in an XML request.
|
|||||
| CVE-2020-21641 | 1 Zohocorp | 1 Manageengine Analytics Plus | 2024-11-21 | N/A | 7.5 HIGH |
|
Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file.
|
|||||
| CVE-2020-21524 | 1 Halo | 1 Halo | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the background(/api/admin/migrations/wordpress) needs to parse the xml file, but it is not used for security defense, This vulnerability can detect the intranet, read files, enable ddos attacks, etc. exp:https://github.com/halo-dev/halo/issues/423
|
|||||
| CVE-2020-1975 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.5 MEDIUM | 6.8 MEDIUM |
|
Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation. This issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.12 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.6. This issue does not affect PAN-OS 7.1, PAN-OS 8.0, or PAN-OS 9.1 or later versions.
|
|||||
| CVE-2020-1693 | 1 Redhat | 1 Spacewalk | 2024-11-21 | 7.5 HIGH | 8.6 HIGH |
|
A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server.
|
|||||
| CVE-2020-19954 | 1 S-cms | 1 S-cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files.
|
|||||
| CVE-2020-18705 | 1 Quokka Project | 1 Quokka | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'.
|
|||||
| CVE-2020-18703 | 1 Quokka Project | 1 Quokka | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'.
|
|||||
| CVE-2020-17408 | 1 Nec | 1 Expresscluster X | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 4.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the clpwebmc executable. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can le ...
Show More |
|||||
| CVE-2020-17376 | 1 Openstack | 1 Nova | 2024-11-21 | 6.5 MEDIUM | 8.3 HIGH |
|
An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that share the same paths as host devices previously referenced by the virtual machine on the source host. This can include block devices that map to different Cinder volumes at the destination than at the source. Only deployment ...
Show More |
|||||
| CVE-2020-15772 | 1 Gradle | 1 Enterprise | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities (XXE), allowing a remote attacker with administrative access to perform server side request forgery.
|
|||||
| CVE-2020-15419 | 1 Veeam | 2 One, One Firmware | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Reporter_ImportLicense class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An ...
Show More |
|||||
| CVE-2020-15418 | 1 Veeam | 2 One, One Firmware | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSRSReport class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker ca ...
Show More |
|||||
| CVE-2020-15352 | 2 Ivanti, Pulsesecure | 4 Connect Secure, Policy Secure, Pulse Connect Secure and 1 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
|
|||||
| CVE-2020-15232 | 1 Mapfish | 1 Print | 2024-11-21 | 6.4 MEDIUM | 9.3 CRITICAL |
|
In mapfish-print before version 3.24, a user can do to an XML External Entity (XXE) attack with the provided SDL style.
|
|||||
| CVE-2020-14940 | 1 Herac | 1 Tuxguitar | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in io/gpx/GPXDocumentReader.java in TuxGuitar 1.5.4. It uses misconfigured XML parsers, leading to XXE while loading GP6 (.gpx) and GP7 (.gp) tablature files.
|
|||||
| CVE-2020-14379 | 1 Redhat | 1 Jboss A-mq | 2024-11-21 | N/A | 5.6 MEDIUM |
|
A flaw was found in Red Hat AMQ Broker in a way that a XEE attack can be done via Broker's configuration files, leading to denial of service and information disclosure.
|
|||||
| CVE-2020-14204 | 1 Ibi | 1 Webfocus Business Intelligence | 2024-11-21 | 5.8 MEDIUM | 8.2 HIGH |
|
In WebFOCUS Business Intelligence 8.0 (SP6), the administration portal allows remote attackers to read arbitrary local files or forge server-side HTTP requests via a crafted HTTP request to /ibi_apps/WFServlet.cfg because XML external entity injection is possible. This is related to making changes to the application repository configuration.
|
|||||
| CVE-2020-14029 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The RSS To SMS module processes XML files in an unsafe manner. This opens the application to an XML External Entity attack that can be used to perform SSRF or read arbitrary local files.
|
|||||
| CVE-2020-13940 | 1 Apache | 1 Nifi | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).
|
|||||
| CVE-2020-13883 | 1 Wso2 | 3 Api Manager, Api Microgateway, Identity Server As Key Manager | 2024-11-21 | 6.5 MEDIUM | 6.7 MEDIUM |
|
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
|
|||||
| CVE-2020-13692 | 5 Debian, Fedoraproject, Netapp and 2 more | 5 Debian Linux, Fedora, Steelstore Cloud Integrated Storage and 2 more | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
|
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
|
|||||
| CVE-2020-12719 | 1 Wso2 | 7 Api Manager, Api Manager Analytics, Api Microgateway and 4 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier.
|
|||||
| CVE-2020-12684 | 1 Inetsoftware | 1 I-net Clear Reports | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
XXE injection can occur in i-net Clear Reports 2019 19.0.287 (Designer), as used in i-net HelpDesk and other products, when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
|
|||||
| CVE-2020-12642 | 1 Reportportal | 1 Service-api | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import.
|
|||||
| CVE-2020-12025 | 1 Rockwellautomation | 1 Studio 5000 Logix Designer | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
|
Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program.
|
|||||
| CVE-2020-11991 | 1 Apache | 1 Cocoon | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
|
|||||
| CVE-2020-11885 | 1 Wso2 | 1 Enterprise Integrator | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file.
|
|||||
| CVE-2020-11586 | 1 Cipplanner | 1 Cipace | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that contains malicious XML DTD data.
|
|||||
| CVE-2020-11541 | 1 Techsmith | 1 Snagit | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In TechSmith SnagIt 11.2.1 through 20.0.3, an XML External Entity (XXE) injection issue exists that would allow a local attacker to exfiltrate data under the local Administrator account.
|
|||||
| CVE-2020-10993 | 1 Osmand | 1 Osmand | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java.
|
|||||
| CVE-2020-10992 | 1 Azkaban Project | 1 Azkaban | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java.
|
|||||
| CVE-2020-10991 | 1 Mulesoft | 1 Aplkit | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java
|
|||||