Total
967 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-35892 | 1 Ibm | 1 Financial Transaction Manager | 2023-12-10 | N/A | 9.1 CRITICAL |
IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 258786. | |||||
CVE-2023-28151 | 1 Independentsoft | 1 Jspreadsheet | 2023-12-10 | N/A | 9.8 CRITICAL |
An issue was discovered in Independentsoft JSpreadsheet before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | |||||
CVE-2023-20030 | 1 Cisco | 1 Identity Services Engine | 2023-12-10 | N/A | 6.0 MEDIUM |
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of confidential information. A successful exploit could also cause the web application to perform arbitrary HTTP requests on behalf of the attacker or consume memory resources to reduce the availability of the web-based management interface. To successfully exploit this vulnerability, an attacker would need valid Super Admin or Policy Admin credentials. | |||||
CVE-2023-29498 | 1 Fujielectric | 1 Frenic Rhc Loader | 2023-12-10 | N/A | 5.5 MEDIUM |
Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. If a user opens a specially crafted project file, sensitive information on the system where the affected product is installed may be disclosed. | |||||
CVE-2023-26058 | 1 Nokia | 1 Netact | 2023-12-10 | N/A | 6.5 MEDIUM |
An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | |||||
CVE-2023-28683 | 1 Jenkins | 1 Phabricator Differential | 2023-12-10 | N/A | 8.2 HIGH |
Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
CVE-2023-2161 | 1 Schneider-electric | 1 Opc Factory Server | 2023-12-10 | N/A | 5.5 MEDIUM |
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. | |||||
CVE-2023-26264 | 1 Talend | 1 Data Catalog | 2023-12-10 | N/A | 5.5 MEDIUM |
All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. | |||||
CVE-2023-37200 | 1 Se | 1 Ecostruxure Opc Ua Server Expert | 2023-12-10 | N/A | 5.5 MEDIUM |
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server. | |||||
CVE-2023-28685 | 1 Jenkins | 1 Absint A3 | 2023-12-10 | N/A | 7.1 HIGH |
Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
CVE-2023-27874 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2023-12-10 | N/A | 8.8 HIGH |
IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845. | |||||
CVE-2023-26057 | 1 Nokia | 1 Netact | 2023-12-10 | N/A | 6.5 MEDIUM |
An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | |||||
CVE-2023-28152 | 1 Independentsoft | 1 Jword | 2023-12-10 | N/A | 9.8 CRITICAL |
An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | |||||
CVE-2023-26263 | 1 Talend | 1 Data Catalog | 2023-12-10 | N/A | 5.5 MEDIUM |
All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server. | |||||
CVE-2023-28340 | 1 Zohocorp | 1 Manageengine Applications Manager | 2023-12-10 | N/A | 6.5 MEDIUM |
Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. | |||||
CVE-2023-28828 | 1 Siemens | 1 Polarion Alm | 2023-12-10 | N/A | 5.9 MEDIUM |
A vulnerability has been identified in Polarion ALM (All versions < V22R2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. | |||||
CVE-2022-46300 | 1 Visam | 1 Vbase Automation Base | 2023-12-10 | N/A | 5.5 MEDIUM |
Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | |||||
CVE-2020-26709 | 1 Py-xml Project | 1 Py-xml | 2023-12-10 | N/A | 7.5 HIGH |
py-xml v1.0 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | |||||
CVE-2020-26708 | 1 Requests-xml Project | 1 Requests-xml | 2023-12-10 | N/A | 7.5 HIGH |
requests-xml v0.2.3 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | |||||
CVE-2023-35786 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2023-12-10 | N/A | 4.9 MEDIUM |
Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files. |