Total
954 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-38343 | 1 Ivanti | 1 Endpoint Manager | 2023-12-10 | N/A | 7.5 HIGH |
An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery. | |||||
CVE-2023-41034 | 1 Eclipse | 1 Leshan | 2023-12-10 | N/A | 9.8 CRITICAL |
Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to `XXE Attacks`. A DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. This issue has been fixed in versions 1.5.0 and 2.0.0-M13. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2023-37942 | 1 Jenkins | 1 External Monitor Job Type | 2023-12-10 | N/A | 6.5 MEDIUM |
Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
CVE-2023-41369 | 1 Sap | 1 S\/4 Hana | 2023-12-10 | N/A | 4.3 MEDIUM |
The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser. | |||||
CVE-2023-32567 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 9.8 CRITICAL |
Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236 | |||||
CVE-2023-30951 | 1 Palantir | 1 Magritte-rest-source-bundle | 2023-12-10 | N/A | 6.5 MEDIUM |
The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE). | |||||
CVE-2023-37364 | 1 Ws-inc | 1 J Wbem | 2023-12-10 | N/A | 9.1 CRITICAL |
In WS-Inc J WBEM Server 4.7.4 before 4.7.5, the CIM-XML protocol adapter does not disable entity resolution. This allows context-dependent attackers to read arbitrary files or cause a denial of service, a similar issue to CVE-2013-4152. | |||||
CVE-2023-35892 | 1 Ibm | 1 Financial Transaction Manager | 2023-12-10 | N/A | 9.1 CRITICAL |
IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 258786. | |||||
CVE-2023-28151 | 1 Independentsoft | 1 Jspreadsheet | 2023-12-10 | N/A | 9.8 CRITICAL |
An issue was discovered in Independentsoft JSpreadsheet before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | |||||
CVE-2023-20030 | 1 Cisco | 1 Identity Services Engine | 2023-12-10 | N/A | 6.0 MEDIUM |
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of confidential information. A successful exploit could also cause the web application to perform arbitrary HTTP requests on behalf of the attacker or consume memory resources to reduce the availability of the web-based management interface. To successfully exploit this vulnerability, an attacker would need valid Super Admin or Policy Admin credentials. | |||||
CVE-2023-29498 | 1 Fujielectric | 1 Frenic Rhc Loader | 2023-12-10 | N/A | 5.5 MEDIUM |
Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. If a user opens a specially crafted project file, sensitive information on the system where the affected product is installed may be disclosed. | |||||
CVE-2023-26058 | 1 Nokia | 1 Netact | 2023-12-10 | N/A | 6.5 MEDIUM |
An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | |||||
CVE-2023-28683 | 1 Jenkins | 1 Phabricator Differential | 2023-12-10 | N/A | 8.2 HIGH |
Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
CVE-2023-2161 | 1 Schneider-electric | 1 Opc Factory Server | 2023-12-10 | N/A | 5.5 MEDIUM |
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. | |||||
CVE-2023-26264 | 1 Talend | 1 Data Catalog | 2023-12-10 | N/A | 5.5 MEDIUM |
All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. | |||||
CVE-2023-37200 | 1 Se | 1 Ecostruxure Opc Ua Server Expert | 2023-12-10 | N/A | 5.5 MEDIUM |
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server. | |||||
CVE-2023-28685 | 1 Jenkins | 1 Absint A3 | 2023-12-10 | N/A | 7.1 HIGH |
Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
CVE-2023-27874 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2023-12-10 | N/A | 8.8 HIGH |
IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845. | |||||
CVE-2023-26057 | 1 Nokia | 1 Netact | 2023-12-10 | N/A | 6.5 MEDIUM |
An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | |||||
CVE-2023-28152 | 1 Independentsoft | 1 Jword | 2023-12-10 | N/A | 9.8 CRITICAL |
An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. |