Search
Total
758 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21657 | 1 Jenkins | 1 Filesystem Trigger | 2021-06-01 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-21658 | 1 Jenkins | 1 Nuget | 2021-06-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-21659 | 1 Jenkins | 1 Urltrigger | 2021-05-28 | 5.5 MEDIUM | 8.1 HIGH |
| Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-22140 | 1 Elastic | 1 Elastic App Search | 2021-05-21 | 5.0 MEDIUM | 7.5 HIGH |
| Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files. | |||||
| CVE-2021-21656 | 1 Jenkins | 1 Xcode Integration | 2021-05-19 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-23901 | 2 Apache, Netapp | 2 Nutch, Snap Creator Framework | 2021-05-17 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18. | |||||
| CVE-2021-30006 | 1 Jetbrains | 1 Intellij Idea | 2021-05-17 | 5.0 MEDIUM | 7.5 HIGH |
| In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure. | |||||
| CVE-2021-1530 | 1 Cisco | 1 Broadworks Messaging Server | 2021-05-14 | 5.5 MEDIUM | 7.1 HIGH |
| A vulnerability in the web-based management interface of Cisco BroadWorks Messaging Server Software could allow an authenticated, remote attacker to access sensitive information or cause a partial denial of service (DoS) condition on an affected system. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a partial DoS condition on an affected system. There are workarounds that address this vulnerability. | |||||
| CVE-2019-18227 | 1 Advantech | 1 Wise-paas\/rmm | 2021-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data. | |||||
| CVE-2020-36124 | 1 Paxtechnology | 1 Paxstore | 2021-05-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators). | |||||
| CVE-2021-29140 | 1 Arubanetworks | 1 Clearpass | 2021-05-07 | 6.4 MEDIUM | 8.2 HIGH |
| A remote XML external entity (XXE) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2020-5013 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2021-05-07 | 5.5 MEDIUM | 8.1 HIGH |
| IBM QRadar SIEM 7.3 and 7.4 may vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 193245. | |||||
| CVE-2021-25164 | 1 Arubanetworks | 1 Airwave | 2021-05-07 | 5.5 MEDIUM | 6.5 MEDIUM |
| A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | |||||
| CVE-2021-25165 | 1 Arubanetworks | 1 Airwave | 2021-05-07 | 5.5 MEDIUM | 8.1 HIGH |
| A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | |||||
| CVE-2020-7037 | 1 Avaya | 1 Equinox Conferencing | 2021-05-07 | 5.5 MEDIUM | 8.1 HIGH |
| An XML External Entities (XXE) vulnerability in Media Server component of Avaya Equinox Conferencing could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system or even potentially lead to a denial of service. The affected versions of Avaya Equinox Conferencing includes all 9.x versions before 9.1.11. Equinox Conferencing is now offered as Avaya Meetings Server. | |||||
| CVE-2021-1369 | 1 Cisco | 1 Firepower Device Manager | 2021-05-05 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected device. This vulnerability is due to the improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by sending malicious requests that contain references in XML entities to an affected system. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information or causing a partial denial of service (DoS) condition on the affected device. | |||||
| CVE-2021-25163 | 1 Arubanetworks | 1 Airwave | 2021-05-03 | 5.5 MEDIUM | 8.1 HIGH |
| A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | |||||
| CVE-2020-7036 | 1 Avaya | 1 Callback Assist | 2021-04-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7. | |||||
| CVE-2020-7035 | 1 Avaya | 1 Aura Orchestration Designer | 2021-04-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| An XML External Entities (XXE)vulnerability in the web-based user interface of Avaya Aura Orchestration Designer could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Orchestration Designer includes all 7.x versions before 7.2.3. | |||||
| CVE-2021-27736 | 1 Fusionauth | 1 Saml V2 | 2021-04-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely. | |||||
| CVE-2021-20454 | 1 Ibm | 1 Websphere Application Server | 2021-04-23 | 6.4 MEDIUM | 8.2 HIGH |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196649. | |||||
| CVE-2021-21642 | 1 Jenkins | 1 Config File Provider | 2021-04-23 | 5.5 MEDIUM | 8.1 HIGH |
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2017-8913 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873. | |||||
| CVE-2017-11457 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249. | |||||
| CVE-2018-2492 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 5.5 MEDIUM | 7.1 HIGH |
| SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50. | |||||
| CVE-2016-3974 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 6.4 MEDIUM | 9.1 CRITICAL |
| XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to _tc~monitoring~webservice~web/ServerNodesWSService, aka SAP Security Note 2235994. | |||||
| CVE-2021-22158 | 1 Proofpoint | 1 Insider Threat Management | 2021-04-12 | 6.5 MEDIUM | 7.2 HIGH |
| The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. The vulnerability requires admin user privileges and knowledge of the XML file's encryption key to successfully exploit. All versions before 7.11 are affected. | |||||
| CVE-2018-13823 | 2 Broadcom, Ca | 2 Project Portfolio Management, Project Portfolio Management | 2021-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to access sensitive information. | |||||
| CVE-2018-13826 | 2 Broadcom, Ca | 2 Project Portfolio Management, Project Portfolio Management | 2021-04-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to conduct server side request forgery attacks. | |||||
| CVE-2021-20482 | 1 Ibm | 1 Cloud Pak For Automation | 2021-04-01 | 5.5 MEDIUM | 7.1 HIGH |
| IBM Cloud Pak for Automation 20.0.2 and 20.0.3 IF002 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197504. | |||||
| CVE-2021-1628 | 1 Salesforce | 1 Mule | 2021-04-01 | 7.5 HIGH | 9.8 CRITICAL |
| MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4.x runtime released before February 2, 2021. | |||||
| CVE-2021-20502 | 1 Ibm | 6 Engineering Insights, Engineering Lifecycle Management, Engineering Requirements Quality Assistant On-premises and 3 more | 2021-03-31 | 5.5 MEDIUM | 7.1 HIGH |
| IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 198059. | |||||
| CVE-2018-10077 | 1 Vertiv | 1 Watchdog Console | 2021-03-27 | 4.0 MEDIUM | 4.9 MEDIUM |
| XML external entity (XXE) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to read arbitrary files via crafted XML data. | |||||
| CVE-2021-28110 | 1 Compassplus | 1 Tranzware E-commerce Payment Gateway | 2021-03-25 | 5.0 MEDIUM | 7.5 HIGH |
| /exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser. | |||||
| CVE-2020-28387 | 1 Siemens | 1 Solid Edge | 2021-03-18 | 4.3 MEDIUM | 5.5 MEDIUM |
| A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP13), Solid Edge SE2021 (All Versions < SE2021MP3). When opening a specially crafted SEECTCXML file, the application could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external dtd. (ZDI-CAN-11923) | |||||
| CVE-2019-0188 | 2 Apache, Oracle | 5 Camel, Enterprise Data Quality, Enterprise Manager Base Platform and 2 more | 2021-03-15 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed. | |||||
| CVE-2020-13692 | 4 Fedoraproject, Netapp, Postgresql and 1 more | 4 Fedora, Steelstore Cloud Integrated Storage, Postgresql Jdbc Driver and 1 more | 2021-03-15 | 6.8 MEDIUM | 7.7 HIGH |
| PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. | |||||
| CVE-2021-26969 | 1 Arubanetworks | 1 Airwave | 2021-03-11 | 5.5 MEDIUM | 6.5 MEDIUM |
| A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Due to improper restrictions on XML entities a vulnerability exists in the web-based management interface of AirWave. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition. | |||||
| CVE-2021-27931 | 1 Lumis | 1 Lumis Experience Platform | 2021-03-10 | 6.4 MEDIUM | 9.1 CRITICAL |
| LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service. | |||||
| CVE-2021-21517 | 1 Dell | 1 Emc Srs Policy Manager | 2021-03-08 | 6.4 MEDIUM | 7.2 HIGH |
| SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. A remote unauthenticated attacker can potentially exploit this vulnerability to read system files as a non-root user and may be able to temporarily disrupt the ESRS service. | |||||
| CVE-2021-26703 | 1 Eprints | 1 Eprints | 2021-03-04 | 7.5 HIGH | 9.8 CRITICAL |
| EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI. | |||||
| CVE-2019-18943 | 1 Microfocus | 1 Solutions Business Manager | 2021-03-01 | 5.2 MEDIUM | 8.0 HIGH |
| Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations. | |||||
| CVE-2020-26981 | 1 Siemens | 2 Jt2go, Teamcenter Visualization | 2021-02-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0). When opening a specially crafted xml file, the application could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external dtd. (ZDI-CAN-11890) | |||||
| CVE-2021-27184 | 1 Pelco | 1 Digital Sentry Server | 2021-02-17 | 5.0 MEDIUM | 7.5 HIGH |
| Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\Pelco directory) when DSControlPoint.exe is executed. | |||||
| CVE-2013-1915 | 4 Debian, Fedoraproject, Opensuse and 1 more | 4 Debian Linux, Fedora, Opensuse and 1 more | 2021-02-12 | 7.5 HIGH | N/A |
| ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability. | |||||
| CVE-2021-20353 | 1 Ibm | 1 Websphere Application Server | 2021-02-11 | 6.4 MEDIUM | 8.2 HIGH |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 194882. | |||||
| CVE-2021-21266 | 1 Openhab | 1 Openhab | 2021-02-05 | 4.0 MEDIUM | 5.0 MEDIUM |
| openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB before versions 2.5.12 and 3.0.1 the XML external entity (XXE) attack allows attackers in the same network as the openHAB instance to retrieve internal information like the content of files from the file system. Responses to SSDP requests can be especially malicious. All add-ons that use SAX or JAXB parsing of externally received XML are potentially subject to this kind of attack. In openHAB, the following add-ons are potentially impacted: AvmFritz, BoseSoundtouch, DenonMarantz, DLinkSmarthome, Enigma2, FmiWeather, FSInternetRadio, Gce, Homematic, HPPrinter, IHC, Insteon, Onkyo, Roku, SamsungTV, Sonos, Roku, Tellstick, TR064, UPnPControl, Vitotronic, Wemo, YamahaReceiver and XPath Tranformation. The vulnerabilities have been fixed in versions 2.5.12 and 3.0.1 by a more strict configuration of the used XML parser. | |||||
| CVE-2020-4949 | 5 Hp, Ibm, Linux and 2 more | 8 Hp-ux, Aix, I and 5 more | 2021-01-29 | 6.4 MEDIUM | 8.2 HIGH |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192025. | |||||
| CVE-2021-22498 | 1 Microfocus | 1 Application Lifecycle Management | 2021-01-29 | 5.5 MEDIUM | 8.1 HIGH |
| XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML External Entity Injection. | |||||
| CVE-2020-27858 | 1 Arcserve | 1 D2d | 2021-01-27 | 5.0 MEDIUM | 7.5 HIGH |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of CA Arcserve D2D 16.5. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getNews method. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-11103. | |||||