Vulnerabilities (CVE)

Filtered by CWE-611
Total 953 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-6147 1 Qualys 1 Policy Compliance 2024-01-24 N/A 6.5 MEDIUM
Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data
CVE-2016-5002 1 Apache 1 Xml-rpc 2024-01-22 9.3 HIGH 7.8 HIGH
XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.
CVE-2023-6149 1 Qualys 1 Web Application Screening 2024-01-12 N/A 6.5 MEDIUM
Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data
CVE-2023-26999 1 Netscout 1 Ngeniusone 2024-01-11 N/A 9.8 CRITICAL
An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file.
CVE-2021-42646 1 Wso2 3 Api Manager, Identity Server, Identity Server As Key Manager 2024-01-11 6.4 MEDIUM 9.1 CRITICAL
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.
CVE-2023-52252 1 Unifiedremote 1 Unified Remote 2024-01-05 N/A 9.8 CRITICAL
Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint.
CVE-2019-3773 2 Oracle, Pivotal Software 3 Financial Services Analytical Applications Infrastructure, Flexcube Private Banking, Spring Web Services 2023-12-27 7.5 HIGH 9.8 CRITICAL
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CVE-2023-46265 1 Ivanti 1 Avalanche 2023-12-22 N/A 9.8 CRITICAL
An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).
CVE-2019-13990 5 Apache, Atlassian, Netapp and 2 more 31 Tomee, Jira Service Management, Active Iq Unified Manager and 28 more 2023-12-22 7.5 HIGH 9.8 CRITICAL
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
CVE-2023-6836 1 Wso2 7 Api Manager, Api Manager Analytics, Api Microgateway and 4 more 2023-12-19 N/A 7.5 HIGH
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
CVE-2023-6721 1 Europeana 1 Repox 2023-12-18 N/A 7.5 HIGH
An XEE vulnerability has been found in Repox, which allows a remote attacker to interfere with the application's XML data processing in the fileupload function, resulting in interaction between the attacker and the server's file system.
CVE-2023-6194 1 Eclipse 1 Memory Analyzer 2023-12-13 N/A 7.1 HIGH
In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.
CVE-2023-4218 1 Eclipse 3 Eclipse Ide, Org.eclipse.core.runtime, Pde 2023-12-10 N/A 5.0 MEDIUM
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
CVE-2023-49656 1 Jenkins 1 Matlab 2023-12-10 N/A 9.8 CRITICAL
Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-49733 1 Apache 1 Cocoon 2023-12-10 N/A 9.8 CRITICAL
Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.
CVE-2023-45727 1 Northgrid 1 Proself 2023-12-10 N/A 7.5 HIGH
Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker.
CVE-2023-0871 1 Opennms 2 Horizon, Meridian 2023-12-10 N/A 6.1 MEDIUM
XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter and Moshe Apelbaum for reporting this issue.
CVE-2023-46502 1 Opencrx 1 Opencrx 2023-12-10 N/A 9.8 CRITICAL
An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.
CVE-2023-46802 1 Nta 1 E-tax 2023-12-10 N/A 5.5 MEDIUM
e-Tax software Version3.0.10 and earlier improperly restricts XML external entity references (XXE) due to the configuration of the embedded XML parser. By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.
CVE-2023-32639 1 Moj 1 Applicant Programme 2023-12-10 N/A 5.5 MEDIUM
Applicant Programme Ver.7.06 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.