Search
Total
758 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-12069 | 2 Ocpfoundation, Siemens | 4 Local Discovery Server, Ua .net, Simatic Pcs7 and 1 more | 2017-10-06 | 6.4 MEDIUM | 8.2 HIGH |
| An XXE vulnerability has been identified in OPC Foundation UA .NET Sample Code before 2017-03-21 and Local Discovery Server (LDS) before 1.03.367. Among the affected products are Siemens SIMATIC PCS7 (All versions V8.1 and earlier), SIMATIC WinCC (All versions < V7.4 SP1), SIMATIC WinCC Runtime Professional (All versions < V14 SP1), SIMATIC NET PC Software, and SIMATIC IT Production Suite. By sending specially crafted packets to the OPC Discovery Server at port 4840/tcp, an attacker might cause the system to access various resources chosen by the attacker. | |||||
| CVE-2017-1527 | 1 Ibm | 1 Business Process Manager | 2017-09-29 | 7.5 HIGH | 8.1 HIGH |
| IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 130156. | |||||
| CVE-2017-0170 | 1 Microsoft | 6 Windows 10, Windows 7, Windows 8.1 and 3 more | 2017-09-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| Windows Performance Monitor in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability due to the way it parses XML input, aka "Windows Performance Monitor Information Disclosure Vulnerability". | |||||
| CVE-2017-8918 | 1 Blackwave | 1 Dive Assistant | 2017-09-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| XXE in Dive Assistant - Template Builder in Blackwave Dive Assistant - Desktop Edition 8.0 allows attackers to remotely view local files via a crafted template.xml file. | |||||
| CVE-2015-3160 | 1 Beaker-project | 1 Beaker | 2017-09-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| XML external entity (XXE) vulnerability in bkr/server/jobs.py in Beaker before 20.1 allows remote authenticated users to obtain sensitive information via submitting job XML to the server containing entity references which reference files from the Beaker server's file system. | |||||
| CVE-2010-2245 | 1 Apache | 1 Wink | 2017-08-16 | 5.8 MEDIUM | 7.4 HIGH |
| XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document. | |||||
| CVE-2017-11272 | 1 Adobe | 1 Digital Editions | 2017-08-16 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Digital Editions 4.5.4 and earlier has a security bypass vulnerability. | |||||
| CVE-2017-7457 | 1 Moxa | 1 Mx-aopc Server | 2017-08-16 | 1.9 LOW | 5.0 MEDIUM |
| XML External Entity via ".AOP" files used by Moxa MX-AOPC Server 1.5 result in remote file disclosure. | |||||
| CVE-2015-0194 | 1 Ibm | 2 Sterling B2b Integrator, Sterling File Gateway | 2017-08-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| XML External Entity (XXE) vulnerability in IBM Sterling B2B Integrator 5.1 and 5.2 and IBM Sterling File Gateway 2.1 and 2.2 allows remote attackers to read arbitrary files via a crafted XML data. | |||||
| CVE-2017-1383 | 1 Ibm | 2 Infosphere Information Server, Softlayer | 2017-08-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 127155. | |||||
| CVE-2017-11390 | 1 Trendmicro | 1 Control Manager | 2017-08-04 | 5.0 MEDIUM | 7.5 HIGH |
| XML external entity (XXE) processing vulnerability in Trend Micro Control Manager 6.0, if exploited, could lead to information disclosure. Formerly ZDI-CAN-4706. | |||||
| CVE-2016-7458 | 1 Vmware | 1 Vsphere Client | 2017-07-28 | 5.0 MEDIUM | 5.8 MEDIUM |
| VMware vSphere Client 5.5 before U3e and 6.0 before U2a allows remote vCenter Server and ESXi instances to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2016-7460 | 1 Vmware | 1 Vrealize Automation | 2017-07-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2016-6798 | 1 Apache | 1 Sling | 2017-07-25 | 7.5 HIGH | 9.8 CRITICAL |
| In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application. | |||||
| CVE-2017-1219 | 1 Ibm | 1 Bigfix Platform | 2017-07-25 | 5.5 MEDIUM | 6.5 MEDIUM |
| IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 123859. | |||||
| CVE-2017-7664 | 1 Apache | 1 Openmeetings | 2017-07-19 | 7.5 HIGH | 10.0 CRITICAL |
| Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0. | |||||
| CVE-2017-1254 | 1 Ibm | 1 Security Guardium | 2017-07-17 | 5.5 MEDIUM | 7.1 HIGH |
| IBM Security Guardium 10.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 124634. | |||||
| CVE-2017-3811 | 1 Cisco | 1 Webex Meetings Server | 2017-07-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| An XML External Entity vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc39165. Known Affected Releases: 2.6. Known Fixed Releases: 2.7.1.2054. | |||||
| CVE-2017-7907 | 1 Schneider-electric | 1 Wonderware Historian Client | 2017-07-08 | 3.3 LOW | 6.6 MEDIUM |
| An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior. An improperly restricted XML parser (with improper restriction of XML external entity reference, or XXE) may allow an attacker to enter malicious input through the application which could cause a denial of service or disclose file contents from a server or connected network. | |||||
| CVE-2017-9231 | 1 Citrix | 1 Xenmobile Server | 2017-07-07 | 5.0 MEDIUM | 7.5 HIGH |
| XML external entity (XXE) vulnerability in Citrix XenMobile Server 9.x and 10.x before 10.5 RP3 allows attackers to obtain sensitive information via unspecified vectors. | |||||
| CVE-2017-10670 | 1 Xoev | 1 Osci Transport Library | 2017-07-06 | 7.5 HIGH | 9.8 CRITICAL |
| An XML External Entity (XXE) issue exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 (Java) and OSCI Transport Library 1.6 (.NET), exploitable by sending a crafted standard-conforming OSCI message from within the infrastructure. | |||||
| CVE-2017-1322 | 1 Ibm | 1 Api Connect | 2017-07-05 | 6.4 MEDIUM | 8.2 HIGH |
| IBM API Connect 5.0.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125918. | |||||
| CVE-2016-0254 | 1 Ibm | 1 Cognos Business Intelligence | 2017-06-14 | 6.8 MEDIUM | 6.5 MEDIUM |
| IBM Cognos Business Intelligence 10.1 and 10.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote authenticated attacker could exploit this vulnerability to consume all available CPU resources and cause a denial of service. IBM X-Force ID: 110563. | |||||
| CVE-2016-9698 | 1 Ibm | 1 Rational Rhapsody Design Manager | 2017-06-14 | 7.5 HIGH | 8.1 HIGH |
| IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1999960. | |||||
| CVE-2017-2308 | 1 Juniper | 1 Junos Space | 2017-06-08 | 5.0 MEDIUM | 6.5 MEDIUM |
| An XML External Entity Injection vulnerability in Juniper Networks Junos Space versions prior to 16.1R1 may allow an authenticated user to read arbitrary files on the device. | |||||
| CVE-2017-9295 | 1 Hitachi | 1 Device Manager | 2017-06-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| XXE vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to read arbitrary files. | |||||
| CVE-2014-0225 | 1 Pivotal Software | 1 Spring Framework | 2017-06-07 | 6.8 MEDIUM | 8.8 HIGH |
| When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. | |||||
| CVE-2017-7503 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2017-05-31 | 7.5 HIGH | 9.8 CRITICAL |
| It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. An attacker could use this flaw to launch DoS or SSRF attacks, or read files from the server where EAP is deployed. | |||||
| CVE-2017-1103 | 1 Ibm | 2 Rational Quality Manager, Rational Team Concert | 2017-05-15 | 7.5 HIGH | 8.1 HIGH |
| IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 120665. | |||||
| CVE-2016-9691 | 1 Ibm | 1 Websphere Cast Iron Solution | 2017-05-12 | 9.0 HIGH | 8.6 HIGH |
| IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 119515. | |||||
| CVE-2017-1149 | 1 Ibm | 1 Urbancode Deploy | 2017-05-05 | 7.5 HIGH | 8.1 HIGH |
| IBM UrbanCode Deploy (UCD) 6.0, 6.1, and 6.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 122202. | |||||
| CVE-2017-8056 | 1 Watchguard | 1 Fireware | 2017-04-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. This causes the Firebox wgagent process to crash. This process crash ends all authenticated sessions to the Firebox, including management connections, and prevents new authenticated sessions until the process has recovered. The Firebox may also experience an overall degradation in performance while the wgagent process recovers. An attacker could continuously send XML-RPC requests that contain references to external entities to perform a limited Denial of Service (DoS) attack against an affected Firebox. | |||||
| CVE-2015-7273 | 1 Dell | 3 Integrated Remote Access Controller 7, Integrated Remote Access Controller 8, Integrated Remote Access Controller Firmware | 2017-04-14 | 7.5 HIGH | 9.8 CRITICAL |
| Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE. | |||||
| CVE-2016-6805 | 1 Apache | 1 Ignite | 2017-04-13 | 4.3 MEDIUM | 5.9 MEDIUM |
| Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents. | |||||
| CVE-2016-9707 | 1 Ibm | 7 Rational Collaborative Lifecycle Management, Rational Doors Next Generation, Rational Engineering Lifecycle Manager and 4 more | 2017-04-04 | 7.5 HIGH | 8.1 HIGH |
| IBM Jazz Foundation is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 2000784. | |||||
| CVE-2016-6111 | 1 Ibm | 1 Curam Social Program Management | 2017-04-04 | 8.5 HIGH | 9.1 CRITICAL |
| IBM Curam Social Program Management 6.0 and 7.0 are vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 2000833. | |||||
| CVE-2017-6895 | 1 Usb Pratirodh Project | 1 Usb Pratirodh | 2017-03-28 | 7.5 HIGH | 9.8 CRITICAL |
| USB Pratirodh allows remote attackers to conduct XML External Entity (XXE) attacks via XML data in usb.xml. | |||||
| CVE-2016-5748 | 1 Netiq | 1 Access Manager | 2017-03-24 | 2.1 LOW | 5.5 MEDIUM |
| External Entity Processing (XXE) vulnerability in the "risk score" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local files to logged-in users. | |||||
| CVE-2016-5749 | 1 Netiq | 1 Access Manager | 2017-03-24 | 2.1 LOW | 5.5 MEDIUM |
| NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML External Entity (XXE) attack. | |||||
| CVE-2016-4931 | 1 Juniper | 1 Junos Space | 2017-03-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| XML entity injection in Junos Space before 15.2R2 allows attackers to cause a denial of service. | |||||
| CVE-2017-6055 | 1 Eparaksts | 1 Eparakstitajs 3 | 2017-03-16 | 6.8 MEDIUM | 7.8 HIGH |
| XML external entity (XXE) vulnerability in eParakstitajs 3 before 1.3.9 and eParaksts Java lib before 2.5.13 allows remote attackers to read arbitrary files or possibly have unspecified other impact via a crafted edoc file. | |||||
| CVE-2016-9724 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2017-03-08 | 7.5 HIGH | 8.1 HIGH |
| IBM QRadar 7.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1999537. | |||||
| CVE-2016-10127 | 1 Pysaml2 Project | 1 Pysaml2 | 2017-03-08 | 6.8 MEDIUM | 9.0 CRITICAL |
| PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response. | |||||
| CVE-2016-9706 | 1 Ibm | 2 Integration Bus, Websphere Message Broker | 2017-03-07 | 8.5 HIGH | 9.1 CRITICAL |
| IBM Integration Bus 9.0 and 10.0 and WebSphere Message Broker SOAP FLOWS is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1997918. | |||||
| CVE-2016-8974 | 1 Ibm | 1 Rational Rhapsody Design Manager | 2017-03-02 | 7.5 HIGH | 8.1 HIGH |
| IBM Rhapsody DM 4.0, 5.0 and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1997798. | |||||
| CVE-2017-6344 | 1 Grails | 1 Pdf Plugin | 2017-03-02 | 4.3 MEDIUM | 5.9 MEDIUM |
| XML External Entity (XXE) vulnerability in Grails PDF Plugin 0.6 allows remote attackers to read arbitrary files via a crafted XML document. | |||||
| CVE-2016-8348 | 1 Emerson | 1 Liebert Sitescan Web | 2017-03-02 | 7.5 HIGH | 9.8 CRITICAL |
| An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version 6.5, and prior. An attacker may enter malicious input to Liebert SiteScan through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network. | |||||
| CVE-2017-5992 | 1 Python | 1 Openpyxl | 2017-02-17 | 5.8 MEDIUM | 8.2 HIGH |
| Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document. | |||||
| CVE-2016-8980 | 5 Hp, Ibm, Linux and 2 more | 7 Hp-ux, Aix, Bigfix Inventory and 4 more | 2017-02-13 | 7.5 HIGH | 8.1 HIGH |
| IBM BigFix Inventory v9 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. | |||||
| CVE-2016-6059 | 1 Ibm | 3 Infosphere Datastage, Infosphere Information Server, Infosphere Information Server On Cloud | 2017-02-08 | 7.5 HIGH | 8.1 HIGH |
| IBM InfoSphere Information Server is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. | |||||