Search
Total
351 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12642 | 1 Reportportal | 1 Service-api | 2020-05-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import. | |||||
| CVE-2020-2178 | 1 Jenkins | 1 Parasoft Findings | 2020-04-27 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-10629 | 1 Advantech | 1 Webaccess\/nms | 2020-04-10 | 5.0 MEDIUM | 7.5 HIGH |
| WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. Specially crafted XML input could allow an attacker to read sensitive files. | |||||
| CVE-2019-4391 | 1 Hcltech | 1 Appscan | 2020-04-08 | 6.4 MEDIUM | 8.2 HIGH |
| HCL AppScan Standard is vulnerable to XML External Entity Injection (XXE) attack when processing XML data | |||||
| CVE-2020-2171 | 1 Jenkins | 1 Rapiddeploy | 2020-03-30 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2019-20191 | 1 Sync | 3 Oxygen Xml Author, Oxygen Xml Developer, Oxygen Xml Editor | 2020-03-20 | 5.0 MEDIUM | 7.5 HIGH |
| Oxygen XML Editor 21.1.1 allows XXE to read any file. | |||||
| CVE-2020-2144 | 1 Jenkins | 1 Rundeck | 2020-03-10 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-2138 | 1 Jenkins | 1 Cobertura | 2020-03-10 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-1975 | 1 Paloaltonetworks | 1 Pan-os | 2020-02-18 | 6.5 MEDIUM | 8.8 HIGH |
| Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation. This issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.12 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.6. This issue does not affect PAN-OS 7.1, PAN-OS 8.0, or PAN-OS 9.1 or later versions. | |||||
| CVE-2020-2120 | 1 Jenkins | 1 Fitnesse | 2020-02-14 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-2115 | 1 Jenkins | 1 Nunit | 2020-02-14 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2019-12331 | 1 Phpspreadsheet Project | 1 Phpspreadsheet | 2020-02-10 | 6.8 MEDIUM | 8.8 HIGH |
| PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚<!ENTITY‘ and thus allowing for an xml external entity processing (XXE) attack. | |||||
| CVE-2019-18412 | 1 Jetbrains | 1 Idetalk | 2020-02-06 | 5.0 MEDIUM | 7.5 HIGH |
| JetBrains IDETalk plugin before version 193.4099.10 allows XXE | |||||
| CVE-2019-4707 | 1 Ibm | 1 Security Access Manager | 2020-01-31 | 5.5 MEDIUM | 7.1 HIGH |
| IBM Security Access Manager Appliance 9.0.7.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 172018. | |||||
| CVE-2017-1000498 | 1 Androidsvg Project | 1 Androidsvg | 2020-01-30 | 6.8 MEDIUM | 7.8 HIGH |
| AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsing component resulting in denial of service and possibly remote code execution | |||||
| CVE-2020-2108 | 1 Jenkins | 1 Websphere Deployer | 2020-01-30 | 6.5 MEDIUM | 7.6 HIGH |
| Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions. | |||||
| CVE-2014-5238 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-01-28 | 6.8 MEDIUM | 7.8 HIGH |
| XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text document. | |||||
| CVE-2015-1809 | 1 Jenkins | 1 Cloudbees | 2020-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query. | |||||
| CVE-2015-1811 | 1 Jenkins | 1 Cloudbees | 2020-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document. | |||||
| CVE-2015-8549 | 1 Pyamf | 1 Pyamf | 2020-01-22 | 5.8 MEDIUM | 7.1 HIGH |
| XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows remote attackers to cause a denial of service or read arbitrary files via a crafted Action Message Format (AMF) payload. | |||||
| CVE-2020-2092 | 1 Jenkins | 1 Robot Framework | 2020-01-22 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Robot Framework Plugin 2.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing users with Job/Configure to have Jenkins parse crafted XML documents. | |||||
| CVE-2019-19998 | 1 Xiuno | 1 Xiunobbs | 2020-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token.php. | |||||
| CVE-2019-16549 | 1 Jenkins | 1 Maven | 2020-01-03 | 6.8 MEDIUM | 8.1 HIGH |
| Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents. | |||||
| CVE-2012-2656 | 1 Talend | 1 Restlet | 2019-12-23 | 5.0 MEDIUM | 7.5 HIGH |
| An XML eXternal Entity (XXE) issue exists in Restlet 1.1.10 in an endpoint using XML transport, which lets a remote attacker obtain sensitive information. | |||||
| CVE-2011-3600 | 1 Apache | 1 Ofbiz | 2019-12-16 | 5.0 MEDIUM | 7.5 HIGH |
| The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04. | |||||
| CVE-2018-11761 | 2 Apache, Oracle | 2 Tika, Business Process Management Suite | 2019-11-12 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack. | |||||
| CVE-2018-1308 | 2 Apache, Debian | 2 Solr, Debian Linux | 2019-11-12 | 5.0 MEDIUM | 7.5 HIGH |
| This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. | |||||
| CVE-2019-9757 | 1 Labkey | 1 Labkey Server | 2019-11-01 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read. | |||||
| CVE-2017-15725 | 1 Devada | 1 Dzone Answerhub | 2019-10-31 | 5.0 MEDIUM | 7.5 HIGH |
| An XML External Entity Injection vulnerability exists in Dzone AnswerHub. | |||||
| CVE-2019-8087 | 1 Adobe | 1 Experience Manager | 2019-10-28 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2019-8082 | 1 Adobe | 1 Experience Manager | 2019-10-28 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2019-8086 | 1 Adobe | 1 Experience Manager | 2019-10-28 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2019-10466 | 1 Jenkins | 1 360 Fireline | 2019-10-25 | 5.5 MEDIUM | 8.1 HIGH |
| An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2019-1060 | 1 Microsoft | 6 Windows 10, Windows 8.1, Windows Rt 8.1 and 3 more | 2019-10-11 | 9.3 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. | |||||
| CVE-2016-7051 | 1 Fasterxml | 1 Jackson-dataformat-xml | 2019-10-10 | 5.0 MEDIUM | 8.6 HIGH |
| XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD. | |||||
| CVE-2019-6179 | 1 Lenovo | 2 Xclarity Administrator, Xclarity Integrator | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure. | |||||
| CVE-2019-4340 | 1 Ibm | 1 Security Guardium Big Data Intelligence | 2019-10-09 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Security Guardium Big Data Intelligence 4.0 (SonarG) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 161419. | |||||
| CVE-2019-4062 | 1 Ibm | 1 I2 Intelligent Analysis Platform | 2019-10-09 | 5.5 MEDIUM | 7.1 HIGH |
| IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 157007. | |||||
| CVE-2019-4043 | 1 Ibm | 1 Sterling B2b Integrator | 2019-10-09 | 5.5 MEDIUM | 7.1 HIGH |
| IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 156239. | |||||
| CVE-2019-4208 | 1 Ibm | 1 Tririga Application Platform | 2019-10-09 | 5.5 MEDIUM | 7.1 HIGH |
| IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 159129. | |||||
| CVE-2019-4433 | 1 Ibm | 2 Infosphere Global Name Management, Infosphere Identity Insight | 2019-10-09 | 6.4 MEDIUM | 8.2 HIGH |
| IBM InfoSphere Global Name Management 5.0 and 6.0 and IBM InfoSphere Identity Insight 8.1 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162890. | |||||
| CVE-2019-4456 | 1 Ibm | 1 Daeja Viewone | 2019-10-09 | 5.5 MEDIUM | 7.1 HIGH |
| IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 163620. | |||||
| CVE-2019-4419 | 1 Ibm | 3 Intelligent Operations Center, Intelligent Operations Center For Emergency Management, Water Operations For Waternamics | 2019-10-09 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Intelligent Operations Center V5.1.0 through V5.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162737. | |||||
| CVE-2019-4424 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2019-10-09 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, and 19.0.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162770. | |||||
| CVE-2019-4513 | 1 Ibm | 1 Security Access Manager For Enterprise Single Sign-on | 2019-10-09 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 164555. | |||||
| CVE-2019-3722 | 1 Dell | 1 Emc Openmanage Server Administrator | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to read arbitrary server system files by supplying specially crafted document type definitions (DTDs) in an XML request. | |||||
| CVE-2019-14693 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2019-10-09 | 5.5 MEDIUM | 8.1 HIGH |
| Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||
| CVE-2019-10244 | 1 Eclipse | 1 Kura | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation. | |||||
| CVE-2018-2401 | 1 Redwood | 1 Sap Business Process Automation | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Business Process Automation (BPA) By Redwood does not sufficiently validate an XML document accepted from an untrusted source resulting in an XML External Entity (XXE) vulnerability. | |||||
| CVE-2018-1905 | 1 Ibm | 1 Websphere Application Server | 2019-10-09 | 5.5 MEDIUM | 7.1 HIGH |
| IBM WebSphere Application Server 9.0.0.0 through 9.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152534. | |||||