Total
1209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-7241 | 1 Sap | 1 Netweaver | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
|
|||||
| CVE-2017-3548 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2025-04-20 | 6.4 MEDIUM | 6.5 MEDIUM |
|
Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized abilit ...
Show More |
|||||
| CVE-2016-9706 | 1 Ibm | 2 Integration Bus, Websphere Message Broker | 2025-04-20 | 8.5 HIGH | 9.1 CRITICAL |
|
IBM Integration Bus 9.0 and 10.0 and WebSphere Message Broker SOAP FLOWS is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1997918.
|
|||||
| CVE-2017-14101 | 1 Changehealthcare | 1 Conserus Image Repository | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
|
A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change Healthcare company. An unauthenticated user supplying a modified HTTP SOAP request to the vulnerable service allows for arbitrary file read access to the local file system as well as the transmittal of the application service's account hashed credentials to a remote attacker.
|
|||||
| CVE-2016-7051 | 1 Fasterxml | 1 Jackson-dataformat-xml | 2025-04-20 | 5.0 MEDIUM | 8.6 HIGH |
|
XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.
|
|||||
| CVE-2017-1477 | 1 Ibm | 1 Security Access Manager 9.0 Firmware | 2025-04-20 | 5.5 MEDIUM | 8.1 HIGH |
|
IBM Security Access Manager Appliance 9.0.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128612.
|
|||||
| CVE-2016-6111 | 1 Ibm | 1 Curam Social Program Management | 2025-04-20 | 8.5 HIGH | 9.1 CRITICAL |
|
IBM Curam Social Program Management 6.0 and 7.0 are vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 2000833.
|
|||||
| CVE-2014-3600 | 1 Apache | 1 Activemq | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
|
|||||
| CVE-2015-7273 | 1 Dell | 3 Integrated Remote Access Controller 7, Integrated Remote Access Controller 8, Integrated Remote Access Controller Firmware | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE.
|
|||||
| CVE-2017-15639 | 1 Getmura | 1 Mura Cms | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
tasks/feed/readRSS.cfm in Mura CMS before 6.2 allows attackers to bypass intended access restrictions by leveraging the "draggable feeds" feature.
|
|||||
| CVE-2017-7907 | 1 Schneider-electric | 1 Wonderware Historian Client | 2025-04-20 | 3.3 LOW | 6.6 MEDIUM |
|
An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior. An improperly restricted XML parser (with improper restriction of XML external entity reference, or XXE) may allow an attacker to enter malicious input through the application which could cause a denial of service or disclose file contents from a server or connected network.
|
|||||
| CVE-2017-5661 | 1 Apache | 1 Formatting Objects Processor | 2025-04-20 | 7.9 HIGH | 7.3 HIGH |
|
In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml ...
Show More |
|||||
| CVE-2015-0194 | 1 Ibm | 2 Sterling B2b Integrator, Sterling File Gateway | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
XML External Entity (XXE) vulnerability in IBM Sterling B2B Integrator 5.1 and 5.2 and IBM Sterling File Gateway 2.1 and 2.2 allows remote attackers to read arbitrary files via a crafted XML data.
|
|||||
| CVE-2017-12629 | 4 Apache, Canonical, Debian and 1 more | 5 Solr, Ubuntu Linux, Debian Linux and 2 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to t ...
Show More |
|||||
| CVE-2017-1219 | 1 Ibm | 1 Bigfix Platform | 2025-04-20 | 5.5 MEDIUM | 6.5 MEDIUM |
|
IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 123859.
|
|||||
| CVE-2017-1322 | 1 Ibm | 1 Api Connect | 2025-04-20 | 6.4 MEDIUM | 8.2 HIGH |
|
IBM API Connect 5.0.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125918.
|
|||||
| CVE-2016-6256 | 1 Sap | 1 Business One | 2025-04-20 | 6.8 MEDIUM | 9.6 CRITICAL |
|
SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065.
|
|||||
| CVE-2016-9724 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2025-04-20 | 7.5 HIGH | 8.1 HIGH |
|
IBM QRadar 7.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1999537.
|
|||||
| CVE-2017-8918 | 1 Blackwave | 1 Dive Assistant | 2025-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
|
XXE in Dive Assistant - Template Builder in Blackwave Dive Assistant - Desktop Edition 8.0 allows attackers to remotely view local files via a crafted template.xml file.
|
|||||
| CVE-2017-15280 | 1 Umbraco | 1 Umbraco Cms | 2025-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
|
XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs.
|
|||||
| CVE-2016-10149 | 2 Debian, Pysaml2 Project | 2 Debian Linux, Pysaml2 | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response.
|
|||||
| CVE-2016-3027 | 1 Ibm | 5 Security Access Manager 9.0 Firmware, Security Access Manager For Mobile 8.0 Firmware, Security Access Manager For Mobile Appliance and 2 more | 2025-04-20 | 5.5 MEDIUM | 6.5 MEDIUM |
|
IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.
|
|||||
| CVE-2014-9487 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.
|
|||||
| CVE-2016-9691 | 1 Ibm | 1 Websphere Cast Iron Solution | 2025-04-20 | 9.0 HIGH | 8.6 HIGH |
|
IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 119515.
|
|||||
| CVE-2017-1192 | 1 Ibm | 1 Sterling B2b Integrator | 2025-04-20 | 6.4 MEDIUM | 8.2 HIGH |
|
IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 123663.
|
|||||
| CVE-2017-10617 | 1 Juniper | 1 Contrail | 2025-04-20 | 5.0 MEDIUM | 5.0 MEDIUM |
|
The ifmap service that comes bundled with Contrail has an XML External Entity (XXE) vulnerability that may allow an attacker to retrieve sensitive system files. Affected releases are Juniper Networks Contrail 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).
|
|||||
| CVE-2014-3630 | 2 Lightbend, Playframework | 2 Play Framework, Play Framework | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.
|
|||||
| CVE-2017-11286 | 1 Adobe | 1 Coldfusion | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
Adobe ColdFusion has an XML external entity (XXE) injection vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.
|
|||||
| CVE-2017-1383 | 1 Ibm | 2 Infosphere Information Server, Softlayer | 2025-04-20 | 6.4 MEDIUM | 9.1 CRITICAL |
|
IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 127155.
|
|||||
| CVE-2016-9698 | 1 Ibm | 1 Rational Rhapsody Design Manager | 2025-04-20 | 7.5 HIGH | 8.1 HIGH |
|
IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1999960.
|
|||||
| CVE-2017-5992 | 1 Python | 1 Openpyxl | 2025-04-20 | 5.8 MEDIUM | 8.2 HIGH |
|
Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document.
|
|||||
| CVE-2017-1000061 | 1 Xmlsec Project | 1 Xmlsec | 2025-04-20 | 5.8 MEDIUM | 7.1 HIGH |
|
xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service
|
|||||
| CVE-2017-11390 | 1 Trendmicro | 1 Control Manager | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
XML external entity (XXE) processing vulnerability in Trend Micro Control Manager 6.0, if exploited, could lead to information disclosure. Formerly ZDI-CAN-4706.
|
|||||
| CVE-2014-0030 | 1 Apache | 1 Roller | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
|
|||||
| CVE-2016-6805 | 1 Apache | 1 Ignite | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
|
Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents.
|
|||||
| CVE-2017-9295 | 1 Hitachi | 1 Device Manager | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
XXE vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to read arbitrary files.
|
|||||
| CVE-2017-5662 | 1 Apache | 1 Batik | 2025-04-20 | 7.9 HIGH | 7.3 HIGH |
|
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a ...
Show More |
|||||
| CVE-2017-13706 | 1 Lansweeper | 1 Lansweeper | 2025-04-20 | 6.5 MEDIUM | 9.9 CRITICAL |
|
XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705.
|
|||||
| CVE-2017-8557 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2025-04-20 | 2.1 LOW | 5.5 MEDIUM |
|
Windows System Information Console in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability improperly parses XML input containing a reference to an external entity, aka "Windows System Information Console Information Disclosure Vulnerability".
|
|||||
| CVE-2017-12216 | 1 Cisco | 1 Socialminer | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
A vulnerability in the web-based user interface of Cisco SocialMiner could allow an unauthenticated, remote attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and wri ...
Show More |
|||||