Total
954 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-18471 | 4 Axentra, Medion, Netgear and 1 more | 4 Hipserv, Lifecloud, Stora and 1 more | 2024-02-14 | 10.0 HIGH | 9.8 CRITICAL |
| /api/2.0/rest/aggregator/xml in Axentra firmware, used by NETGEAR Stora, Seagate GoFlex Home, and MEDION LifeCloud, has an XXE vulnerability that can be chained with an SSRF bug to gain remote command execution as root. It can be triggered by anyone who knows the IP address of the affected device. | |||||
| CVE-2019-14276 | 1 Xnat | 1 Xnat | 2024-02-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| WUSTL XNAT 1.7.5.3 allows XXE attacks via a POST request body. | |||||
| CVE-2014-0030 | 1 Apache | 1 Roller | 2024-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | |||||
| CVE-2021-45024 | 1 Rocketsoftware | 1 Ags-zena | 2024-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE). | |||||
| CVE-2023-52239 | 1 Magicsoftware | 1 Magic Xpi Integration Platform | 2024-02-13 | N/A | 6.5 MEDIUM |
| The XML parser in Magic xpi Integration Platform 4.13.4 allows XXE attacks, e.g., via onItemImport. | |||||
| CVE-2024-22024 | 1 Ivanti | 3 Connect Secure, Policy Secure, Zero Trust Access | 2024-02-13 | N/A | 8.3 HIGH |
| An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication. | |||||
| CVE-2024-24743 | 2024-02-13 | N/A | 8.6 HIGH | ||
| SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected. | |||||
| CVE-2009-1699 | 3 Apple, Canonical, Opensuse | 4 Iphone Os, Safari, Ubuntu Linux and 1 more | 2024-02-10 | 7.1 HIGH | 7.5 HIGH |
| The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack." | |||||
| CVE-2024-1167 | 1 Seweurodrive | 1 Movitools Motionstudio | 2024-02-09 | N/A | 7.5 HIGH |
| When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur. | |||||
| CVE-2011-4107 | 3 Debian, Fedoraproject, Phpmyadmin | 3 Debian Linux, Fedora, Phpmyadmin | 2024-02-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack. | |||||
| CVE-2022-42745 | 1 Auieosoftware | 1 Candidats | 2024-02-08 | N/A | 7.5 HIGH |
| CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE. | |||||
| CVE-2005-1306 | 1 Adobe | 2 Acrobat, Acrobat Reader | 2024-02-08 | 5.0 MEDIUM | 7.5 HIGH |
| The Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 allows remote attackers to determine the existence of files via Javascript containing XML script, aka the "XML External Entity vulnerability." | |||||
| CVE-2023-32327 | 1 Ibm | 2 Security Verify Access, Security Verify Access Docker | 2024-02-07 | N/A | 7.1 HIGH |
| IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 254783. | |||||
| CVE-2023-4554 | 3 Linux, Microsoft, Opentext | 3 Linux Kernel, Windows, Appbuilder | 2024-02-05 | N/A | 6.5 MEDIUM |
| Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder on Windows, Linux allows Server Side Request Forgery, Probe System Files. AppBuilder's XML processor is vulnerable to XML External Entity Processing (XXE), allowing an authenticated user to upload specially crafted XML files to induce server-side request forgery, disclose files local to the server that processes them. This issue affects AppBuilder: from 21.2 before 23.2. | |||||
| CVE-2024-22380 | 1 Maff | 1 Electronic Delivery Check System | 2024-01-30 | N/A | 5.5 MEDIUM |
| Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2024-21796 | 1 Dfeg | 1 Electronic Deliverables Creation Support Tool | 2024-01-30 | N/A | 5.5 MEDIUM |
| Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2024-21765 | 1 Cals-ed | 2 Electronic Delivery Check System, Electronic Delivery Item Inspection Support System | 2024-01-30 | N/A | 5.5 MEDIUM |
| Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2024-23525 | 1 Tozt | 1 Spreadsheet\ | 2024-01-27 | N/A | 6.5 MEDIUM |
| The Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig. | |||||
| CVE-2023-20052 | 3 Cisco, Clamav, Stormshield | 4 Secure Endpoint, Secure Endpoint Private Cloud, Clamav and 1 more | 2024-01-25 | N/A | 5.3 MEDIUM |
| On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process. | |||||
| CVE-2022-20938 | 1 Cisco | 1 Firepower Management Center | 2024-01-25 | N/A | 4.3 MEDIUM |
| A vulnerability in the module import function of the administrative interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view sensitive information. This vulnerability is due to insufficient validation of the XML syntax when importing a module. An attacker could exploit this vulnerability by supplying a specially crafted XML file to the function. A successful exploit could allow the attacker to read sensitive data that would normally not be revealed. | |||||