Total
879 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-32706 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2023-06-07 | N/A | 6.5 MEDIUM |
| On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. | |||||
| CVE-2022-41221 | 1 Opentext | 1 Archive Center Administration | 2023-06-01 | N/A | 7.1 HIGH |
| The client in OpenText Archive Center Administration through 21.2 allows XXE attacks. Authenticated users of the OpenText Archive Center Administration client (Versions 16.2.3, 21.2, and older versions) could upload XML files to the application that it did not sufficiently validate. As a result, attackers could craft XML files that, when processed by the application, would cause a negative security impact such as data exfiltration or localized denial of service against the application instance and system of the user running it. | |||||
| CVE-2023-26043 | 1 Geosolutionsgroup | 1 Geonode | 2023-06-01 | N/A | 6.5 MEDIUM |
| GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been patched in version 4.0.3. | |||||
| CVE-2023-2806 | 1 Weaver | 1 E-cology | 2023-05-26 | N/A | 8.8 HIGH |
| A vulnerability classified as problematic was found in Weaver e-cology up to 9.0. Affected by this vulnerability is the function RequestInfoByXml of the component API. The manipulation leads to xml external entity reference. The associated identifier of this vulnerability is VDB-229411. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-20174 | 1 Cisco | 1 Identity Services Engine | 2023-05-26 | N/A | 4.9 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2023-20173 | 1 Cisco | 1 Identity Services Engine | 2023-05-26 | N/A | 4.9 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2023-2161 | 1 Schneider-electric | 1 Opc Factory Server | 2023-05-25 | N/A | 5.5 MEDIUM |
| A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. | |||||
| CVE-2023-27554 | 1 Ibm | 1 Websphere Application Server | 2023-05-22 | N/A | 9.1 CRITICAL |
| IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249185. | |||||
| CVE-2023-27527 | 1 Touki-kyoutaku-online | 1 Shinseiyo Sogo Soft | 2023-05-16 | N/A | 7.5 HIGH |
| Shinseiyo Sogo Soft (7.9A) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker. | |||||
| CVE-2023-28828 | 1 Siemens | 1 Polarion Alm | 2023-05-09 | N/A | 5.9 MEDIUM |
| A vulnerability has been identified in Polarion ALM (All versions < V22R2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. | |||||
| CVE-2023-29443 | 1 Zohocorp | 4 Manageengine Assetexplorer, Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp and 1 more | 2023-05-08 | N/A | 4.9 MEDIUM |
| Zoho ManageEngine ServiceDesk Plus through 14104 allows admin users to conduct an XXE attack. | |||||
| CVE-2023-28008 | 1 Hcltech | 1 Workload Automation | 2023-05-05 | N/A | 8.1 HIGH |
| HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||
| CVE-2023-28009 | 1 Hcltech | 1 Workload Automation | 2023-05-05 | N/A | 8.1 HIGH |
| HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||
| CVE-2022-45876 | 1 Visam | 1 Vbase | 2023-05-05 | N/A | 5.5 MEDIUM |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | |||||
| CVE-2023-26058 | 1 Nokia | 1 Netact | 2023-05-04 | N/A | 6.5 MEDIUM |
| An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | |||||
| CVE-2023-26057 | 1 Nokia | 1 Netact | 2023-05-04 | N/A | 6.5 MEDIUM |
| An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | |||||
| CVE-2022-38840 | 1 Guralp | 1 Man-eam-0003 | 2023-04-25 | N/A | 7.5 HIGH |
| cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure. | |||||
| CVE-2023-26264 | 1 Talend | 1 Data Catalog | 2023-04-21 | N/A | 5.5 MEDIUM |
| All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. | |||||
| CVE-2023-26263 | 1 Talend | 1 Data Catalog | 2023-04-21 | N/A | 5.5 MEDIUM |
| All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server. | |||||
| CVE-2023-25955 | 1 Mlit | 1 National Land Numerical Information Data Conversion Tool | 2023-04-18 | N/A | 5.5 MEDIUM |
| National land numerical information data conversion tool all versions improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker. | |||||