Search
Total
758 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-0265 | 1 Sap | 5 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl32nuc, Advanced Business Application Programming Platform Krnl32uc and 2 more | 2019-03-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49,KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73 KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75. | |||||
| CVE-2019-5918 | 1 Nablarch Project | 1 Nablarch | 2019-03-13 | 8.5 HIGH | 9.1 CRITICAL |
| Nablarch 5 (5, and 5u1 to 5u13) allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | |||||
| CVE-2017-5828 | 1 Hp | 1 Aruba Clearpass Policy Manager | 2019-03-11 | 5.5 MEDIUM | 8.1 HIGH |
| An arbitrary command execution vulnerability in HPE Aruba ClearPass Policy Manager version 6.6.x was found. | |||||
| CVE-2018-9116 | 1 Wiremock | 1 Wiremock | 2019-02-27 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XXE vulnerability within WireMock before 2.16.0 allows a remote unauthenticated attacker to access local files and internal resources and potentially cause a Denial of Service. | |||||
| CVE-2018-19858 | 1 Princexml | 1 Princexml | 2019-02-21 | 5.0 MEDIUM | 8.6 HIGH |
| PrinceXML, versions 10 and below, is vulnerable to XXE due to the lack of protection against external entities. If an attacker passes HTML referencing an XML file (e.g., in an IFRAME element), PrinceXML will fetch the XML and parse it, thus giving an attacker file-read access and full-fledged SSRF. | |||||
| CVE-2019-7722 | 1 Pmd Project | 1 Pmd | 2019-02-21 | 6.8 MEDIUM | 8.1 HIGH |
| PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.) | |||||
| CVE-2018-1000889 | 1 Logisim-evolution Project | 1 Logisim-evolution | 2019-02-13 | 6.8 MEDIUM | 8.8 HIGH |
| Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in information leak, possible RCE depending on system configuration. This attack appears to be exploitable via the victim opening a specially crafted circuit file. This vulnerability appears to have been fixed in 2.14.4. | |||||
| CVE-2018-11788 | 1 Apache | 1 Karaf | 2019-02-12 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases. | |||||
| CVE-2018-1000836 | 1 Apereo | 1 Bw-calendar-engine | 2019-02-07 | 6.8 MEDIUM | 9.0 CRITICAL |
| bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server. | |||||
| CVE-2018-1000829 | 1 Anyplace Project | 1 Anyplace | 2019-02-07 | 6.8 MEDIUM | 9.0 CRITICAL |
| Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 80359b4. | |||||
| CVE-2018-1000840 | 1 Processing | 1 Processing | 2019-02-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document. | |||||
| CVE-2018-20233 | 1 Atlassian | 1 Universal Plugin Manager | 2019-02-06 | 5.5 MEDIUM | 6.5 MEDIUM |
| The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR. | |||||
| CVE-2018-15362 | 1 Ge | 1 Cimplicity | 2019-02-06 | 6.4 MEDIUM | 9.1 CRITICAL |
| XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0 | |||||
| CVE-2018-7063 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2019-02-05 | 6.8 MEDIUM | 8.1 HIGH |
| In Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts. | |||||
| CVE-2018-20298 | 1 S3browser | 1 S3 Browser | 2019-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a malicious server via the S3 protocol. | |||||
| CVE-2018-20733 | 6 Hpe, Ibm, Linux and 3 more | 6 Hp-ux Ipfilter, Aix, Linux Kernel and 3 more | 2019-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| BI Web Services in SAS Web Infrastructure Platform before 9.4M6 allows XXE. | |||||
| CVE-2018-7837 | 1 Schneider-electric | 1 Iiot Monior | 2019-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| An Improper Restriction of XML External Entity Reference ('XXE') vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents outside of the intended sphere of control, causing the software to embed incorrect documents into its output and expose restricted information. | |||||
| CVE-2018-19244 | 1 Charlesproxy | 1 Charles | 2019-02-01 | 5.0 MEDIUM | 8.6 HIGH |
| An XML External Entity (XXE) vulnerability exists in the Charles 4.2.7 import/export setup option. If a user imports a "Charles Settings.xml" file from an attacker, an intranet network may be accessed and information may be leaked. | |||||
| CVE-2018-17186 | 1 Apache | 1 Syncope | 2019-01-31 | 6.5 MEDIUM | 7.2 HIGH |
| An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution. | |||||
| CVE-2019-5748 | 1 Traccar | 1 Server | 2019-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks. | |||||
| CVE-2018-18980 | 1 Zohocorp | 2 Manageengine Network Configuration Manager, Manageengine Opmanager | 2019-01-30 | 5.0 MEDIUM | 7.5 HIGH |
| An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server. | |||||
| CVE-2018-16166 | 1 Jpcert | 1 Logontracer | 2019-01-25 | 6.8 MEDIUM | 8.8 HIGH |
| LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | |||||
| CVE-2018-19371 | 1 Sdl | 1 Web Content Manager | 2019-01-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| The SaveUserSettings service in Content Manager in SDL Web 8.5.0 has an XXE Vulnerability that allows reading sensitive files from the system. | |||||
| CVE-2018-20000 | 1 Apereo | 1 Bw-webdav | 2019-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java. | |||||
| CVE-2018-20318 | 1 Wxjava Project | 1 Wxjava | 2019-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. | |||||
| CVE-2019-5312 | 1 Wxjava Project | 1 Wxjava | 2019-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in weixin-java-tools v3.3.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. NOTE: this issue exists because of an incomplete fix for CVE-2018-20318. | |||||
| CVE-2018-1000820 | 1 Neo4j-contrib | 1 Neo4j-apoc-procedures | 2019-01-08 | 7.5 HIGH | 10.0 CRITICAL |
| neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 45bc09c. | |||||
| CVE-2018-1000821 | 1 Micromathematics Project | 1 Micromathematics | 2019-01-08 | 7.5 HIGH | 10.0 CRITICAL |
| MicroMathematics version before commit 5c05ac8 contains a XML External Entity (XXE) vulnerability in SMathStudio files that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted SMathStudio files. This vulnerability appears to have been fixed in after commit 5c05ac8. | |||||
| CVE-2018-1000822 | 1 Codelibs | 1 Fess | 2019-01-08 | 7.5 HIGH | 10.0 CRITICAL |
| codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b. | |||||
| CVE-2018-1000825 | 1 Freecol | 1 Freecol | 2019-01-08 | 7.5 HIGH | 10.0 CRITICAL |
| FreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Freecol file. | |||||
| CVE-2018-1000830 | 1 Xr3player Project | 1 Xr3player | 2019-01-08 | 7.5 HIGH | 10.0 CRITICAL |
| XR3Player version <= V3.124 contains a XML External Entity (XXE) vulnerability in Playlist parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. | |||||
| CVE-2018-1000831 | 1 K9mail | 1 K-9 Mail | 2019-01-08 | 7.5 HIGH | 10.0 CRITICAL |
| K9Mail version <= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious WebDAV server or intercept the reponse of a valid WebDAV server. | |||||
| CVE-2018-1000834 | 1 Runelite | 1 Runelite | 2019-01-08 | 6.8 MEDIUM | 9.0 CRITICAL |
| runelite version <= runelite-parent-1.4.23 contains a XML External Entity (XXE) vulnerability in Man in the middle runscape services call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. | |||||
| CVE-2018-1000838 | 1 Sleuthkit | 1 Autopsy | 2019-01-08 | 7.5 HIGH | 10.0 CRITICAL |
| autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted CaseMetadata. | |||||
| CVE-2018-20157 | 1 Openrefine | 1 Openrefine | 2019-01-03 | 5.0 MEDIUM | 7.5 HIGH |
| The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files. | |||||
| CVE-2018-15805 | 1 Accusoft | 1 Prizmdoc | 2019-01-03 | 6.4 MEDIUM | 9.1 CRITICAL |
| Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption). | |||||
| CVE-2018-20059 | 1 Pippo | 1 Pippo | 2019-01-03 | 7.5 HIGH | 9.8 CRITICAL |
| jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE. | |||||
| CVE-2018-17411 | 1 Informationbuilders | 1 Data Quality Suite | 2018-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| An XML External Entity (XXE) vulnerability exists in iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20. | |||||
| CVE-2018-18737 | 1 Douchat | 1 Douchat | 2018-12-11 | 5.0 MEDIUM | 7.5 HIGH |
| An XXE issue was discovered in Douchat 4.0.4 because Data\notify.php calls simplexml_load_string. This can also be used for SSRF. | |||||
| CVE-2018-12243 | 1 Symantec | 1 Messaging Gateway | 2018-12-08 | 5.8 MEDIUM | 8.8 HIGH |
| The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to a XML external entity (XXE) exploit, which is a type of issue where XML input containing a reference to an external entity is processed by a weakly configured XML parser. The attack uses file URI schemes or relative paths in the system identifier to access files that should not normally be accessible. | |||||
| CVE-2018-16521 | 1 Openmrs | 2 Html Form Entry, Reference Application | 2018-12-07 | 7.5 HIGH | 9.8 CRITICAL |
| An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0. | |||||
| CVE-2018-18659 | 1 Arcserve | 1 Udp | 2018-12-06 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-19 Unauthenticated XXE in /management/UdpHttpService issue. | |||||
| CVE-2016-5002 | 1 Apache | 1 Xml-rpc | 2018-12-05 | 9.3 HIGH | 7.8 HIGH |
| XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD. | |||||
| CVE-2018-16252 | 1 Fspro | 1 Event Log Explorer | 2018-12-04 | 2.1 LOW | 3.3 LOW |
| FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML External Entity Injection. | |||||
| CVE-2018-15531 | 1 Javamelody Project | 1 Javamelody | 2018-11-29 | 7.5 HIGH | 9.8 CRITICAL |
| JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java. | |||||
| CVE-2018-8494 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2018-11-28 | 9.3 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka "MS XML Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | |||||
| CVE-2018-12585 | 1 Opcfoundation | 2 Ua-.net-legacy, Ua-java | 2018-11-27 | 6.4 MEDIUM | 8.2 HIGH |
| An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allow remote attackers to trigger a denial of service. | |||||
| CVE-2018-8527 | 1 Microsoft | 1 Sql Server Management Studio | 2018-11-27 | 4.3 MEDIUM | 5.5 MEDIUM |
| An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XEL file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8532, CVE-2018-8533. | |||||
| CVE-2018-8532 | 1 Microsoft | 1 Sql Server Management Studio | 2018-11-27 | 4.3 MEDIUM | 5.5 MEDIUM |
| An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XMLA file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8527, CVE-2018-8533. | |||||
| CVE-2018-8533 | 1 Microsoft | 1 Sql Server Management Studio | 2018-11-27 | 4.3 MEDIUM | 5.5 MEDIUM |
| An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing malicious XML content containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8527, CVE-2018-8532. | |||||