Total
1209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16521 | 1 Openmrs | 2 Html Form Entry, Reference Application | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0.
|
|||||
| CVE-2018-16252 | 1 Fspro | 1 Event Log Explorer | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML External Entity Injection.
|
|||||
| CVE-2018-16166 | 1 Jpcert | 1 Logontracer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
|
|||||
| CVE-2018-15805 | 1 Accusoft | 1 Prizmdoc | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).
|
|||||
| CVE-2018-15531 | 1 Javamelody Project | 1 Javamelody | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
|
|||||
| CVE-2018-15506 | 1 Bubblesoftapps | 1 Bubbleupnp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and a ...
Show More |
|||||
| CVE-2018-15444 | 1 Cisco | 1 Energy Management Suite Software | 2024-11-21 | 4.9 MEDIUM | 6.3 MEDIUM |
|
A vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by convincing a user of an affected system to import a crafted XML file with malicious entries, which could allow the att ...
Show More |
|||||
| CVE-2018-15362 | 1 Ge | 1 Cimplicity | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0
|
|||||
| CVE-2018-14720 | 4 Debian, Fasterxml, Oracle and 1 more | 12 Debian Linux, Jackson-databind, Banking Platform and 9 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
|
|||||
| CVE-2018-14485 | 1 Blogengine | 1 Blogengine.net | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd.
|
|||||
| CVE-2018-14473 | 1 Ocsinventory-ng | 1 Ocsinventory Ng | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service.
|
|||||
| CVE-2018-14383 | 1 Ttpsc | 1 The Scheduler | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. It was fixed in the versions 5.2.1 and 3.3.7
|
|||||
| CVE-2018-14065 | 1 Phpoffice Project | 1 Common | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
XMLReader.php in PHPOffice Common before 0.2.9 allows XXE.
|
|||||
| CVE-2018-13826 | 2 Broadcom, Ca | 2 Project Portfolio Management, Project Portfolio Management | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to conduct server side request forgery attacks.
|
|||||
| CVE-2018-13823 | 2 Broadcom, Ca | 2 Project Portfolio Management, Project Portfolio Management | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to access sensitive information.
|
|||||
| CVE-2018-13439 | 1 Tencent | 1 Wechat Pay | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL.
|
|||||
| CVE-2018-13417 | 1 Vuze | 1 Bittorrent Client | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Vuze, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and ac ...
Show More |
|||||
| CVE-2018-13416 | 1 Spirton | 1 Universal Media Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Universal Media Server (UMS) 7.1.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running UMS, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and ...
Show More |
|||||
| CVE-2018-13415 | 1 Plex | 1 Media Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Plex, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and ach ...
Show More |
|||||
| CVE-2018-12585 | 1 Opcfoundation | 2 Ua-.net-legacy, Ua-java | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
|
An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allow remote attackers to trigger a denial of service.
|
|||||
| CVE-2018-12544 | 1 Eclipse | 1 Vert.x | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.
|
|||||
| CVE-2018-12471 | 1 Suse | 1 Subscription Management Tool | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
A External Entity Reference ('XXE') vulnerability in SUSE Linux SMT allows remote attackers to read data from the server or cause DoS by referencing blocking elements. Affected releases are SUSE Linux SMT: versions prior to 3.0.37.
|
|||||
| CVE-2018-12463 | 1 Hp | 1 Fortify Software Security Center | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC), version 17.1, 17.2, 18.1 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
|
|||||
| CVE-2018-12408 | 1 Tibco | 2 Activematrix Businessworks, Activematrix Businessworks Distribution For Tibco Silver Fabric | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The BusinessWorks engine component of TIBCO Software Inc.'s TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux, and TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric contains a vulnerability that may allow XML eXternal Entity (XXE) attacks via incoming network messages, and may disclose the contents of files accessible to a running BusinessWorks engine Affected releases are TIBCO Software Inc. TIBCO ActiveMatrix BusinessWorks: versions up to and in ...
Show More |
|||||
| CVE-2018-12243 | 1 Symantec | 1 Messaging Gateway | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
|
The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to a XML external entity (XXE) exploit, which is a type of issue where XML input containing a reference to an external entity is processed by a weakly configured XML parser. The attack uses file URI schemes or relative paths in the system identifier to access files that should not normally be accessible.
|
|||||
| CVE-2018-11796 | 1 Apache | 1 Tika | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.
|
|||||
| CVE-2018-11788 | 1 Apache | 1 Karaf | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.
|
|||||
| CVE-2018-11761 | 2 Apache, Oracle | 2 Tika, Business Process Management Suite | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
|
|||||
| CVE-2018-11758 | 1 Apache | 1 Cayenne | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
This affects Apache Cayenne 4.1.M1, 3.2.M1, 4.0.M2 to 4.0.M5, 4.0.B1, 4.0.B2, 4.0.RC1, 3.1, 3.1.1, 3.1.2. CayenneModeler is a desktop GUI tool shipped with Apache Cayenne and intended for editing Cayenne ORM models stored as XML files. If an attacker tricks a user of CayenneModeler into opening a malicious XML file, the attacker will be able to instruct the XML parser built into CayenneModeler to transfer files from a local machine to a remote machine controlled by the attacker. The cause of the ...
Show More |
|||||
| CVE-2018-11719 | 1 Xovis | 6 Pc2, Pc2 Firmware, Pc2r and 3 more | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow XXE.
|
|||||
| CVE-2018-11640 | 1 Dialogic | 1 Powermedia Xms | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
XML External Entity (XXE) vulnerability in the web service in Dialogic PowerMedia XMS before 3.5 SU2 allows remote attackers to read arbitrary files or cause a denial of service (resource consumption).
|
|||||
| CVE-2018-11586 | 1 Searchblox | 1 Searchblox | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
XML external entity (XXE) vulnerability in api/rest/status in SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
|
|||||
| CVE-2018-11048 | 1 Dell | 2 Emc Data Protection Advisor, Emc Integrated Data Protection Appliance | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 contain a XML External Entity (XXE) Injection vulnerability in the REST API. An authenticated remote malicious user could potentially exploit this vulnerability to read certain system files in the server or cause denial of service by supplying specially crafted Document Type Definitions (DTDs) in an XML request.
|
|||||
| CVE-2018-10832 | 1 Modbuspal Project | 1 Modbuspal | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal, will return the contents of any local files to a remote attacker.
|
|||||
| CVE-2018-10653 | 1 Citrix | 1 Xenmobile Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
There is an XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
|
|||||
| CVE-2018-10614 | 1 We-con | 1 Levistudiou | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An XXE vulnerability in LeviStudioU, Versions 1.8.29 and 1.8.44 can be exploited when the application processes specially crafted project XML files.
|
|||||
| CVE-2018-10613 | 1 Ge | 1 Mds Pulsenet | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior.
|
|||||
| CVE-2018-10600 | 1 Selinc | 1 Acselerator Architect | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
SEL AcSELerator Architect version 2.2.24.0 and prior allows unsanitized input to be passed to the XML parser, which may allow disclosure and retrieval of arbitrary data, arbitrary code execution (in certain situations on specific platforms), and denial of service attacks.
|
|||||
| CVE-2018-10175 | 1 Digitalguardian | 1 Management Console | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Digital Guardian Management Console 7.1.2.0015 has an XXE issue.
|
|||||
| CVE-2018-10077 | 1 Vertiv | 1 Watchdog Console | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
XML external entity (XXE) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to read arbitrary files via crafted XML data.
|
|||||