Total
1209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10990 | 1 Accenture | 1 Mercury | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component.
|
|||||
| CVE-2020-10799 | 1 Svglib Project | 1 Svglib | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call.
|
|||||
| CVE-2020-10683 | 5 Canonical, Dom4j Project, Netapp and 2 more | 38 Ubuntu Linux, Dom4j, Oncommand Api Services and 35 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
|
|||||
| CVE-2020-10629 | 1 Advantech | 1 Webaccess\/nms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. Specially crafted XML input could allow an attacker to read sensitive files.
|
|||||
| CVE-2019-9843 | 1 Diffplug | 2 Gradle, Maven | 2024-11-21 | 5.1 MEDIUM | 7.5 HIGH |
|
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.
|
|||||
| CVE-2019-9761 | 1 Phpshe | 1 Phpshe | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An XXE issue was discovered in PHPSHE 1.7, which can be used to read any file in the system or scan the internal network without authentication. This occurs because of the call to wechat_getxml in include/plugin/payment/wechat/notify_url.php.
|
|||||
| CVE-2019-9757 | 1 Labkey | 1 Labkey Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read.
|
|||||
| CVE-2019-9658 | 3 Checkstyle, Debian, Fedoraproject | 3 Checkstyle, Debian Linux, Fedora | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Checkstyle before 8.18 loads external DTDs by default.
|
|||||
| CVE-2019-9488 | 1 Trendmicro | 2 Deep Security Manager, Vulnerability Protection | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
Trend Micro Deep Security Manager (10.x, 11.x) and Vulnerability Protection (2.0) are vulnerable to a XML External Entity Attack. However, for the attack to be possible, the attacker must have root/admin access to a protected host which is authorized to communicate with the Deep Security Manager (DSM).
|
|||||
| CVE-2019-8999 | 1 Blackberry | 1 Unified Endpoint Management | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.
|
|||||
| CVE-2019-8997 | 1 Blackberry | 1 Athoc | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted XML in an existing field.
|
|||||
| CVE-2019-8126 | 1 Magento | 1 Magento | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.
|
|||||
| CVE-2019-8087 | 1 Adobe | 1 Experience Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
|
|||||
| CVE-2019-8086 | 1 Adobe | 1 Experience Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
|
|||||
| CVE-2019-8082 | 1 Adobe | 1 Experience Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
|
|||||
| CVE-2019-7847 | 3 Adobe, Linux, Microsoft | 3 Campaign, Linux Kernel, Windows | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user.
|
|||||
| CVE-2019-7722 | 1 Pmd Project | 1 Pmd | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)
|
|||||
| CVE-2019-7442 | 1 Cyberark | 1 Enterprise Password Vault | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system.
|
|||||
| CVE-2019-6194 | 1 Lenovo | 1 Xclarity Administrator | 2024-11-21 | 4.3 MEDIUM | 5.7 MEDIUM |
|
An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow information disclosure.
|
|||||
| CVE-2019-6179 | 1 Lenovo | 2 Xclarity Administrator, Xclarity Integrator | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure.
|
|||||
| CVE-2019-5918 | 1 Nablarch Project | 1 Nablarch | 2024-11-21 | 8.5 HIGH | 9.1 CRITICAL |
|
Nablarch 5 (5, and 5u1 to 5u13) allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
|
|||||
| CVE-2019-5748 | 1 Traccar | 1 Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks.
|
|||||
| CVE-2019-4730 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 172533.
|
|||||
| CVE-2019-4707 | 1 Ibm | 1 Security Access Manager | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM Security Access Manager Appliance 9.0.7.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 172018.
|
|||||
| CVE-2019-4513 | 1 Ibm | 1 Security Access Manager For Enterprise Single Sign-on | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 164555.
|
|||||
| CVE-2019-4456 | 1 Ibm | 1 Daeja Viewone | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 163620.
|
|||||
| CVE-2019-4433 | 1 Ibm | 2 Infosphere Global Name Management, Infosphere Identity Insight | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
IBM InfoSphere Global Name Management 5.0 and 6.0 and IBM InfoSphere Identity Insight 8.1 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162890.
|
|||||
| CVE-2019-4424 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, and 19.0.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162770.
|
|||||
| CVE-2019-4419 | 1 Ibm | 3 Intelligent Operations Center, Intelligent Operations Center For Emergency Management, Water Operations For Waternamics | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
IBM Intelligent Operations Center V5.1.0 through V5.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162737.
|
|||||
| CVE-2019-4391 | 1 Hcltech | 1 Appscan | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
HCL AppScan Standard is vulnerable to XML External Entity Injection (XXE) attack when processing XML data
|
|||||
| CVE-2019-4340 | 1 Ibm | 1 Security Guardium Big Data Intelligence | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
IBM Security Guardium Big Data Intelligence 4.0 (SonarG) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 161419.
|
|||||
| CVE-2019-4208 | 1 Ibm | 1 Tririga Application Platform | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 159129.
|
|||||
| CVE-2019-4062 | 1 Ibm | 1 I2 Intelligent Analysis Platform | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 157007.
|
|||||
| CVE-2019-4043 | 1 Ibm | 1 Sterling B2b Integrator | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 156239.
|
|||||
| CVE-2019-3774 | 1 Pivotal Software | 1 Spring Batch | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
|
|||||
| CVE-2019-3773 | 2 Oracle, Pivotal Software | 3 Financial Services Analytical Applications Infrastructure, Flexcube Private Banking, Spring Web Services | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
|
|||||
| CVE-2019-3772 | 2 Oracle, Vmware | 2 Retail Customer Management And Segmentation Foundation, Spring Integration | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
|
|||||
| CVE-2019-3768 | 1 Emc | 1 Rsa Authentication Manager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
RSA Authentication Manager versions prior to 8.4 P7 contain an XML Entity Injection Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to cause information disclosure of local system files by supplying specially crafted XML message.
|
|||||
| CVE-2019-3752 | 1 Dell | 2 Emc Avamar Server, Emc Integrated Data Protection Appliance | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3 and 2.4. contain an XML External Entity(XXE) Injection vulnerability. A remote unauthenticated malicious user could potentially exploit this vulnerability to cause Denial of Service or information exposure by supplying specially crafted document type definitions (DTDs) in an XML request.
|
|||||
| CVE-2019-3722 | 1 Dell | 1 Emc Openmanage Server Administrator | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to read arbitrary server system files by supplying specially crafted document type definitions (DTDs) in an XML request.
|
|||||