Total
1209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-22478 | 1 Dell | 1 Storage Manager | 2025-05-13 | N/A | 8.1 HIGH |
|
Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering.
|
|||||
| CVE-2022-43415 | 1 Jenkins | 1 Repo | 2025-05-09 | N/A | 7.5 HIGH |
|
Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-43430 | 1 Jenkins | 1 Compuware Topaz For Total Test | 2025-05-08 | N/A | 7.5 HIGH |
|
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-31678 | 1 Vmware | 2 Cloud Foundation, Nsx Data Center | 2025-05-08 | N/A | 9.1 CRITICAL |
|
VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure.
|
|||||
| CVE-2018-4942 | 1 Adobe | 1 Coldfusion | 2025-05-06 | 5.0 MEDIUM | 7.5 HIGH |
|
Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Unsafe XML External Entity Processing vulnerability. Successful exploitation could lead to information disclosure.
|
|||||
| CVE-2022-21220 | 1 Intel | 1 Quartus Prime | 2025-05-05 | 4.6 MEDIUM | 7.8 HIGH |
|
Improper restriction of XML external entity for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2022-21205 | 1 Intel | 1 Quartus Prime | 2025-05-05 | 5.0 MEDIUM | 7.5 HIGH |
|
Improper restriction of XML external entity reference in DSP Builder Pro for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an unauthenticated user to potentially enable information disclosure via network access.
|
|||||
| CVE-2020-25020 | 2 Mpxj, Oracle | 2 Mpxj, Primavera Unifier | 2025-05-05 | 7.5 HIGH | 9.8 CRITICAL |
|
MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.
|
|||||
| CVE-2022-40747 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-05 | N/A | 9.1 CRITICAL |
|
"IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584."
|
|||||
| CVE-2022-37911 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2025-05-02 | N/A | 3.8 LOW |
|
Due to improper restrictions on XML entities multiple vulnerabilities exist in the command line interface of ArubaOS. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition.
|
|||||
| CVE-2022-45194 | 1 Bruhn-newtech | 1 Cbrn-analysis | 2025-05-01 | N/A | 3.8 LOW |
|
CBRN-Analysis before 22 allows XXE attacks via am mws XML document, leading to NTLMv2-SSP hash disclosure.
|
|||||
| CVE-2022-45386 | 1 Jenkins | 1 Violations | 2025-04-30 | N/A | 5.5 MEDIUM |
|
Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-45395 | 1 Jenkins | 1 Cccc | 2025-04-30 | N/A | 9.8 CRITICAL |
|
Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-45400 | 1 Jenkins | 1 Japex | 2025-04-30 | N/A | 9.8 CRITICAL |
|
Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-45397 | 1 Jenkins | 1 Osf Builder Suite \ | 2025-04-30 | N/A | 9.8 CRITICAL |
|
Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-45396 | 1 Jenkins | 1 Sourcemonitor | 2025-04-30 | N/A | 9.8 CRITICAL |
|
Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-43689 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | N/A | 5.3 MEDIUM |
|
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.
|
|||||
| CVE-2022-3980 | 1 Sophos | 1 Mobile | 2025-04-29 | N/A | 9.8 CRITICAL |
|
An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
|
|||||
| CVE-2025-2070 | 2025-04-29 | N/A | 5.0 MEDIUM | ||
|
An improper XML parsing vulnerability was reported in the FileZ client that could allow arbitrary file reads on the system if a crafted url is visited by a local user.
|
|||||
| CVE-2022-40771 | 1 Zohocorp | 4 Manageengine Assetexplorer, Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp and 1 more | 2025-04-28 | N/A | 4.9 MEDIUM |
|
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.
|
|||||
| CVE-2022-46682 | 1 Jenkins | 1 Plot | 2025-04-23 | N/A | 9.8 CRITICAL |
|
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
|
|||||
| CVE-2022-45326 | 1 Kwoksys | 1 Information Server | 2025-04-23 | N/A | 4.9 MEDIUM |
|
An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.
|
|||||
| CVE-2016-9924 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers to conduct XML External Entity (XXE) attacks.
|
|||||
| CVE-2015-7326 | 1 Milton | 1 Webdav | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3.
|
|||||
| CVE-2015-7743 | 1 Paessler | 1 Prtg Network Monitor | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
XML external entity vulnerability in PRTG Network Monitor before 16.2.23.3077/3078 allows remote authenticated users to read arbitrary files by creating a new HTTP XML/REST Value sensor that accesses a crafted XML file.
|
|||||
| CVE-2016-4312 | 1 Wso2 | 1 Identity Server | 2025-04-20 | 6.0 MEDIUM | 7.5 HIGH |
|
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credential ...
Show More |
|||||
| CVE-2017-9458 | 1 Paloaltonetworks | 1 Pan-os | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
XML external entity (XXE) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows remote attackers to obtain sensitive information, cause a denial of service, or conduct server-side request forgery (SSRF) attacks via unspecified vectors.
|
|||||
| CVE-2017-14868 | 1 Restlet | 1 Restlet | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.
|
|||||
| CVE-2015-3160 | 1 Beaker-project | 1 Beaker | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
|
XML external entity (XXE) vulnerability in bkr/server/jobs.py in Beaker before 20.1 allows remote authenticated users to obtain sensitive information via submitting job XML to the server containing entity references which reference files from the Beaker server's file system.
|
|||||
| CVE-2016-0254 | 1 Ibm | 1 Cognos Business Intelligence | 2025-04-20 | 6.8 MEDIUM | 6.5 MEDIUM |
|
IBM Cognos Business Intelligence 10.1 and 10.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote authenticated attacker could exploit this vulnerability to consume all available CPU resources and cause a denial of service. IBM X-Force ID: 110563.
|
|||||
| CVE-2017-12069 | 2 Ocpfoundation, Siemens | 4 Local Discovery Server, Ua .net, Simatic Pcs7 and 1 more | 2025-04-20 | 6.4 MEDIUM | 8.2 HIGH |
|
An XXE vulnerability has been identified in OPC Foundation UA .NET Sample Code before 2017-03-21 and Local Discovery Server (LDS) before 1.03.367. Among the affected products are Siemens SIMATIC PCS7 (All versions V8.1 and earlier), SIMATIC WinCC (All versions < V7.4 SP1), SIMATIC WinCC Runtime Professional (All versions < V14 SP1), SIMATIC NET PC Software, and SIMATIC IT Production Suite. By sending specially crafted packets to the OPC Discovery Server at port 4840/tcp, an attacker might cause ...
Show More |
|||||
| CVE-2017-1103 | 1 Ibm | 2 Rational Quality Manager, Rational Team Concert | 2025-04-20 | 7.5 HIGH | 8.1 HIGH |
|
IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 120665.
|
|||||
| CVE-2017-11457 | 1 Sap | 1 Netweaver Application Server Java | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249.
|
|||||
| CVE-2017-14526 | 1 Opentext | 2 Documentum Administrator, Documentum Webtop | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
|
Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Administrator 7.2.0180.0055 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.
|
|||||
| CVE-2017-6055 | 1 Eparaksts | 1 Eparakstitajs 3 | 2025-04-20 | 6.8 MEDIUM | 7.8 HIGH |
|
XML external entity (XXE) vulnerability in eParakstitajs 3 before 1.3.9 and eParaksts Java lib before 2.5.13 allows remote attackers to read arbitrary files or possibly have unspecified other impact via a crafted edoc file.
|
|||||
| CVE-2017-1458 | 1 Ibm | 1 Qradar Network Security | 2025-04-20 | 5.5 MEDIUM | 8.1 HIGH |
|
IBM QRadar Network Security 5.4 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128377.
|
|||||
| CVE-2017-1000021 | 1 Logicaldoc | 1 Logicaldoc | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
|
LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents.
|
|||||
| CVE-2017-12620 | 1 Apache | 1 Opennlp | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.
|
|||||
| CVE-2017-7457 | 1 Moxa | 1 Mx-aopc Server | 2025-04-20 | 1.9 LOW | 5.0 MEDIUM |
|
XML External Entity via ".AOP" files used by Moxa MX-AOPC Server 1.5 result in remote file disclosure.
|
|||||
| CVE-2017-10889 | 1 Tablepress | 1 Tablepress | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
|
TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.
|
|||||