Total
971 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-45326 | 1 Kwoksys | 1 Information Server | 2023-12-10 | N/A | 4.9 MEDIUM |
| An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks. | |||||
| CVE-2023-22377 | 1 Fujitsu | 2 Tsclinical Define.xml Generator, Tsclinical Metadata Desktop Tools | 2023-12-10 | N/A | 7.4 HIGH |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in tsClinical Define.xml Generator all versions (v1.0.0 to v1.4.0) and tsClinical Metadata Desktop Tools Version 1.0.3 to Version 1.1.0. If this vulnerability is exploited, an attacker may obtain an arbitrary file which meets a certain condition by reading a specially crafted XML file. | |||||
| CVE-2023-26461 | 1 Sap | 1 Netweaver Enterprise Portal | 2023-12-10 | N/A | 4.9 MEDIUM |
| SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges. | |||||
| CVE-2022-45588 | 1 Talend | 1 Remote Engine Gen 2 | 2023-12-10 | N/A | 7.8 HIGH |
| All versions before R2022-09 of Talend's Remote Engine Gen 2 are potentially vulnerable to XML External Entity (XXE) type of attacks. Users should download the R2022-09 release or later and use it in place of the previous version. Talend Remote Engine Gen 1 and Talend Cloud Engine for Design are not impacted. This XXE vulnerability could only be exploited by someone with the appropriate rights to edit pipelines on the Talend platform. It could not be triggered remotely or by other user input. | |||||
| CVE-2023-27480 | 1 Xwiki | 1 Xwiki | 2023-12-10 | N/A | 7.7 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch `e3527b98fd` manually. | |||||
| CVE-2023-26043 | 1 Geosolutionsgroup | 1 Geonode | 2023-12-10 | N/A | 6.5 MEDIUM |
| GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been patched in version 4.0.3. | |||||
| CVE-2023-22624 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2023-12-10 | N/A | 7.5 HIGH |
| Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks. | |||||
| CVE-2023-24443 | 1 Jenkins | 1 Testcomplete Support | 2023-12-10 | N/A | 9.8 CRITICAL |
| Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-24323 | 1 Mojoportal | 1 Mojoportal | 2023-12-10 | N/A | 8.8 HIGH |
| Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability. | |||||
| CVE-2021-33950 | 1 Openkm | 1 Openkm | 2023-12-10 | N/A | 7.5 HIGH |
| An issue discovered in OpenKM v6.3.10 allows attackers to obtain sensitive information via the XMLTextExtractor function. | |||||
| CVE-2022-47873 | 1 Netcad | 1 Keos | 2023-12-10 | N/A | 9.8 CRITICAL |
| Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote). | |||||
| CVE-2022-47514 | 1 Xml-rpc.net Project | 1 Xml-rpc.net | 2023-12-10 | N/A | 8.8 HIGH |
| An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request. | |||||
| CVE-2022-25628 | 1 Broadcom | 1 Symantec Identity Governance And Administration | 2023-12-10 | N/A | 8.8 HIGH |
| An authenticated user can perform XML eXternal Entity injection in Management Console in Symantec Identity Manager 14.4 | |||||
| CVE-2022-46682 | 1 Jenkins | 1 Plot | 2023-12-10 | N/A | 9.8 CRITICAL |
| Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-27476 | 1 Osgeo | 1 Owslib | 2023-12-10 | N/A | 7.5 HIGH |
| OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details. | |||||
| CVE-2022-38389 | 1 Ibm | 1 Tivoli Workload Scheduler | 2023-12-10 | N/A | 9.1 CRITICAL |
| IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233975. | |||||
| CVE-2023-20855 | 1 Vmware | 2 Vrealize Automation, Vrealize Orchestrator | 2023-12-10 | N/A | 8.8 HIGH |
| VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges. | |||||
| CVE-2023-22832 | 1 Apache | 1 Nifi | 2023-12-10 | N/A | 7.5 HIGH |
| The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. | |||||
| CVE-2022-22486 | 1 Ibm | 1 Tivoli Workload Scheduler | 2023-12-10 | N/A | 9.1 CRITICAL |
| IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226328. | |||||
| CVE-2023-24187 | 1 Ureport Project | 1 Ureport | 2023-12-10 | N/A | 7.8 HIGH |
| An XML External Entity (XXE) vulnerability in ureport v2.2.9 allows attackers to execute arbitrary code via uploading a crafted XML file to /ureport/designer/saveReportFile. | |||||