Total
1209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11677 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection.
|
|||||
| CVE-2019-11519 | 1 Nopcommerce | 1 Nopcommerce | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen.
|
|||||
| CVE-2019-11392 | 1 Dotnetblogengine | 1 Blogengine.net | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd.
|
|||||
| CVE-2019-11216 | 1 Bmc | 1 Remedy Smart Reporting | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed.
|
|||||
| CVE-2019-10976 | 1 Mitsubishielectric | 2 Electric Fr Configurator2, Electric Fr Configurator2 Firmware | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.
|
|||||
| CVE-2019-10782 | 1 Checkstyle | 1 Checkstyle | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658.
|
|||||
| CVE-2019-10718 | 1 Dotnetblogengine | 1 Blogengine.net | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs.
|
|||||
| CVE-2019-10466 | 1 Jenkins | 1 360 Fireline | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.
|
|||||
| CVE-2019-10337 | 1 Jenkins | 1 Token Macro | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.
|
|||||
| CVE-2019-10327 | 1 Jenkins | 1 Pipeline Maven Integration | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.
|
|||||
| CVE-2019-10309 | 1 Jenkins | 1 Self-organizing Swarm Modules | 2024-11-21 | 4.8 MEDIUM | 9.3 CRITICAL |
|
Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients.
|
|||||
| CVE-2019-10266 | 1 Ahsay | 1 Cloud Backup Suite | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a URL, it is possible to read the file structure and even the content of files without authentication.
|
|||||
| CVE-2019-10264 | 1 Ahsay | 1 Cloud Backup Suite | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE.
|
|||||
| CVE-2019-10244 | 1 Eclipse | 1 Kura | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation.
|
|||||
| CVE-2019-10172 | 4 Apache, Debian, Fasterxml and 1 more | 5 Spark, Debian Linux, Jackson-mapper-asl and 2 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
|
|||||
| CVE-2019-10080 | 1 Apache | 1 Nifi | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.
|
|||||
| CVE-2019-1010268 | 1 Ladon Project | 1 Ladon | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.
|
|||||
| CVE-2019-1010202 | 1 Jeesite | 1 Jeesite | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is: sensitive information disclosure. The component is: convertToModel() function in src/main/java/com.thinkgem.jeesite/modules/act/service/ActProcessService.java. The attack vector is: network connectivity,authenticated,must upload a specially crafted xml file. The fixed version is: 4.0 and later.
|
|||||
| CVE-2019-1003015 | 1 Jenkins | 1 Job Import | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc.
|
|||||
| CVE-2019-0795 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, CVE-2019-0793.
|
|||||
| CVE-2019-0793 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, CVE-2019-0795.
|
|||||
| CVE-2019-0792 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-0791, CVE-2019-0793, CVE-2019-0795.
|
|||||
| CVE-2019-0791 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-0792, CVE-2019-0793, CVE-2019-0795.
|
|||||
| CVE-2019-0790 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0791, CVE-2019-0792, CVE-2019-0793, CVE-2019-0795.
|
|||||
| CVE-2019-0756 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'.
|
|||||
| CVE-2019-0340 | 1 Sap | 1 Enable Now | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. This issue affects the file upload at multiple locations. An attacker can read local XXE files.
|
|||||
| CVE-2019-0284 | 1 Sap | 1 Hana | 2024-11-21 | 3.6 LOW | 6.0 MEDIUM |
|
SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML External Entity (XXE). This can cause SLDREG to, for example, continuously loop, read arbitrary files and even send local files.
|
|||||
| CVE-2019-0277 | 1 Sap | 1 Hana Extended Application Services | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External Entity vulnerability).
|
|||||
| CVE-2019-0265 | 1 Sap | 5 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl32nuc, Advanced Business Application Programming Platform Krnl32uc and 2 more | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49,KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73 KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75.
|
|||||
| CVE-2019-0228 | 3 Apache, Fedoraproject, Oracle | 14 James, Pdfbox, Fedora and 11 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
|
|||||
| CVE-2019-0188 | 2 Apache, Oracle | 5 Camel, Enterprise Data Quality, Enterprise Manager Base Platform and 2 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.
|
|||||
| CVE-2018-9116 | 1 Wiremock | 1 Wiremock | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
An XXE vulnerability within WireMock before 2.16.0 allows a remote unauthenticated attacker to access local files and internal resources and potentially cause a Denial of Service.
|
|||||
| CVE-2018-8940 | 1 Enghouse | 1 Contact Center\ | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
ClientServiceConfigController.cs in Enghouse Cloud Contact Center Platform 7.2.5 has functionality for loading external XML files and parsing them, allowing an attacker to upload a malicious XML file and reference it in the URL of the application, forcing the application to load and parse the malicious XML file, aka an XXE issue.
|
|||||
| CVE-2018-8819 | 1 Carrier | 1 Automatedlogic Webctrl | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.
|
|||||
| CVE-2018-8533 | 1 Microsoft | 1 Sql Server Management Studio | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing malicious XML content containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8527, CVE-2018-8532.
|
|||||
| CVE-2018-8532 | 1 Microsoft | 1 Sql Server Management Studio | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XMLA file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8527, CVE-2018-8533.
|
|||||
| CVE-2018-8527 | 1 Microsoft | 1 Sql Server Management Studio | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XEL file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8532, CVE-2018-8533.
|
|||||
| CVE-2018-8494 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka "MS XML Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
|
|||||
| CVE-2018-8420 | 1 Microsoft | 4 Windows 10, Windows 7, Windows 8.1 and 1 more | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka "MS XML Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
|
|||||
| CVE-2018-8027 | 1 Apache | 1 Camel | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.
|
|||||