Total
1209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-8026 | 2 Apache, Netapp | 3 Solr, Snapcenter, Storage Automation Store | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files (currency.xml, enumsConfig.xml referred from schema.xml, TIKA parsecontext config file). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. The manipulated fi ...
Show More |
|||||
| CVE-2018-8010 | 1 Apache | 1 Solr | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 ...
Show More |
|||||
| CVE-2018-7837 | 1 Schneider-electric | 1 Iiot Monior | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An Improper Restriction of XML External Entity Reference ('XXE') vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents outside of the intended sphere of control, causing the software to embed incorrect documents into its output and expose restricted information.
|
|||||
| CVE-2018-7783 | 1 Schneider-electric | 1 Somachine Basic | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Schneider Electric SoMachine Basic prior to v1.6 SP1 suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project/template file.
|
|||||
| CVE-2018-7230 | 1 Schneider-electric | 40 Ibp1110-1er, Ibp1110-1er Firmware, Ibp219-1er and 37 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67.
|
|||||
| CVE-2018-7063 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
In Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts.
|
|||||
| CVE-2018-6670 | 1 Mcafee | 1 Common Catalog | 2024-11-21 | 4.0 MEDIUM | 7.6 HIGH |
|
External Entity Attack vulnerability in the ePO extension in McAfee Common UI (CUI) 2.0.2 allows remote authenticated users to view confidential information via a crafted HTTP request parameter.
|
|||||
| CVE-2018-6489 | 1 Microfocus | 1 Project And Portfolio Management Center | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
XML External Entity (XXE) vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability can be exploited to allow XML External Entity (XXE)
|
|||||
| CVE-2018-6486 | 1 Microfocus | 2 Fortify Audit Workbench, Fortify Software Security Center | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.
|
|||||
| CVE-2018-6225 | 1 Trendmicro | 1 Email Encryption Gateway | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An XML external entity injection (XXE) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an authenticated user to expose a normally protected configuration script.
|
|||||
| CVE-2018-5789 | 1 Extremewireless | 1 Wing | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated XML Entity Expansion Denial of Service on the WiNG Access Point / Controller via crafted XML entities to the Web User Interface.
|
|||||
| CVE-2018-5758 | 1 Aurea | 1 Jive-n | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
|
The Upload File functionality in upload.jspa in Aurea Jive Jive-n 9.0.2.1 On-Premises allows for an XML External Entity attack through a crafted file, allowing attackers to read arbitrary files.
|
|||||
| CVE-2018-5434 | 1 Tibco | 1 Runtime Agent | 2024-11-21 | 6.8 MEDIUM | 5.8 MEDIUM |
|
The TIBCO Designer component of TIBCO Software Inc.'s TIBCO Runtime Agent, and TIBCO Runtime Agent for z/Linux contains vulnerabilities wherein a malicious user could perform XML external entity expansion (XXE) attacks to disclose host machine information. Affected releases are TIBCO Software Inc.'s TIBCO Runtime Agent: versions up to and including 5.10.0, and TIBCO Runtime Agent for z/Linux: versions up to and including 5.9.1.
|
|||||
| CVE-2018-5433 | 1 Tibco | 1 Administrator | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
|
The TIBCO Administrator server component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, and TIBCO Administrator - Enterprise Edition for z/Linux contains vulnerabilities wherein a malicious user could perform XML external entity expansion (XXE) attacks to disclose host machine information. Affected releases are TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition: versions up to and including 5.10.0, and TIBCO Administrator - Enterprise Edition for z/Linux: versions ...
Show More |
|||||
| CVE-2018-3881 | 1 Focalscope | 1 Focalscope | 2024-11-21 | 7.5 HIGH | 9.4 CRITICAL |
|
An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server that could cause an XXE, and potentially result in data compromise.
|
|||||
| CVE-2018-3600 | 1 Trendmicro | 1 Control Manager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A external entity processing information disclosure (XXE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to disclose sensitive information on vulnerable installations.
|
|||||
| CVE-2018-2492 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.
|
|||||
| CVE-2018-2401 | 1 Redwood | 1 Sap Business Process Automation | 2024-11-21 | 6.5 MEDIUM | 5.4 MEDIUM |
|
SAP Business Process Automation (BPA) By Redwood does not sufficiently validate an XML document accepted from an untrusted source resulting in an XML External Entity (XXE) vulnerability.
|
|||||
| CVE-2018-2393 | 1 Sap | 1 Internet Graphics Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.
|
|||||
| CVE-2018-2392 | 1 Sap | 1 Internet Graphics Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.
|
|||||
| CVE-2018-2019 | 1 Ibm | 1 Security Identity Manager | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM Security Identity Manager 6.0.0 Virtual Appliance is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 155265.
|
|||||
| CVE-2018-25082 | 1 Wechat Sdk Python Project | 1 Wechat Sdk Python | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The patch is named e54abadc777715b6dcb545c13214d1dea63df6c9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223403.
|
|||||
| CVE-2018-20733 | 6 Hpe, Ibm, Linux and 3 more | 6 Hp-ux Ipfilter, Aix, Linux Kernel and 3 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
BI Web Services in SAS Web Infrastructure Platform before 9.4M6 allows XXE.
|
|||||
| CVE-2018-20687 | 1 Raritan | 1 Commandcenter Secure Gateway | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An XML external entity (XXE) vulnerability in CommandCenterWebServices/.*?wsdl in Raritan CommandCenter Secure Gateway before 8.0.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
|
|||||
| CVE-2018-20664 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.
|
|||||
| CVE-2018-20433 | 2 Debian, Mchange | 2 Debian Linux, C3p0 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
|
|||||
| CVE-2018-20318 | 1 Wxjava Project | 1 Wxjava | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file.
|
|||||
| CVE-2018-20298 | 1 S3browser | 1 S3 Browser | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a malicious server via the S3 protocol.
|
|||||
| CVE-2018-20233 | 1 Atlassian | 1 Universal Plugin Manager | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.
|
|||||
| CVE-2018-20222 | 1 Airsonic Project | 1 Airsonic | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
XXE issue in Airsonic before 10.1.2 during parse.
|
|||||
| CVE-2018-20160 | 1 Synacor | 1 Zimbra Collaboration Suite | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd.
|
|||||
| CVE-2018-20157 | 1 Openrefine | 1 Openrefine | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
|
|||||
| CVE-2018-20059 | 1 Pippo | 1 Pippo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.
|
|||||
| CVE-2018-20000 | 1 Apereo | 1 Bw-webdav | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java.
|
|||||
| CVE-2018-1970 | 1 Ibm | 1 Security Access Manager | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM Security Identity Manager 7.0.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 153751.
|
|||||
| CVE-2018-1920 | 1 Ibm | 1 Marketing Platform | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152855.
|
|||||
| CVE-2018-1905 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM WebSphere Application Server 9.0.0.0 through 9.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152534.
|
|||||
| CVE-2018-1846 | 1 Ibm | 1 Rational Engineering Lifecycle Manager | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM Rational Engineering Lifecycle Manager 5.0 through 5.0.2 and 6.0 through 6.0.6 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150945.
|
|||||
| CVE-2018-1845 | 3 Ibm, Linux, Microsoft | 8 Aix, Infosphere Governance Catalog, Infosphere Information Server and 5 more | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150905.
|
|||||
| CVE-2018-1844 | 1 Ibm | 1 Filenet Content Manager | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150904.
|
|||||