Total
60 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-23640 | 1 Excel Streaming Reader Project | 1 Excel Streaming Reader | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround. | |||||
CVE-2021-41559 | 1 Silverstripe | 1 Silverstripe | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document. | |||||
CVE-2021-20464 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
IBM Cognos Analytics PowerPlay (IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7) could be vulnerable to an XML Bomb attack by a malicious authenticated user. IBM X-Force ID: 196813. | |||||
CVE-2021-40511 | 1 Obdasystems | 1 Mastro | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
OBDA systems’ Mastro 1.0 is vulnerable to XML Entity Expansion (aka “billion laughs”) attack allowing denial of service. | |||||
CVE-2021-3541 | 4 Netapp, Oracle, Redhat and 1 more | 27 Active Iq Unified Manager, Cloud Backup, Clustered Data Ontap and 24 more | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. | |||||
CVE-2021-32623 | 1 Apereo | 1 Opencast | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue. | |||||
CVE-2020-15303 | 1 Infoblox | 1 Nios | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Infoblox NIOS before 8.5.2 allows entity expansion during an XML upload operation, a related issue to CVE-2003-1564. | |||||
CVE-2021-38490 | 1 Altova | 1 Mobiletogether Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Altova MobileTogether Server before 7.3 SP1 allows XML exponential entity expansion, a different vulnerability than CVE-2021-37425. | |||||
CVE-2018-10868 | 1 Redhat | 1 Certification | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
redhat-certification 7 does not properly restrict the number of recursive definitions of entities in XML documents, allowing an unauthenticated user to run a "Billion Laugh Attack" by replying to XMLRPC methods when getting the status of an host. | |||||
CVE-2021-1267 | 1 Cisco | 1 Firepower Management Center | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
A vulnerability in the dashboard widget of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by crafting an XML-based widget on an affected server. A successful exploit could cause increased memory and CPU utilization, which could result in a DoS condition. | |||||
CVE-2021-23926 | 4 Apache, Debian, Netapp and 1 more | 7 Xmlbeans, Debian Linux, Oncommand Unified Manager Core Package and 4 more | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0. | |||||
CVE-2020-24665 | 1 Hitachi | 1 Vantara Pentaho | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains an XML Entity Expansion injection vulnerability, which allows an authenticated remote users to trigger a denial of service (DoS) condition. Specifically, the vulnerability lies in the 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, >= 8.3.0.0 GA | |||||
CVE-2020-27017 | 2 Microsoft, Trendmicro | 2 Windows, Interscan Messaging Security Virtual Appliance | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability. | |||||
CVE-2020-25186 | 1 We-con | 1 Levistudiou | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure. | |||||
CVE-2020-24589 | 1 Wso2 | 2 Api Manager, Api Microgateway | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks. | |||||
CVE-2020-4481 | 1 Ibm | 1 Urbancode Deploy | 2023-12-10 | 6.4 MEDIUM | 8.2 HIGH |
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848. | |||||
CVE-2020-11462 | 1 Openvpn | 1 Openvpn Access Server | 2023-12-10 | 4.3 MEDIUM | 7.5 HIGH |
An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable. | |||||
CVE-2020-4377 | 1 Ibm | 1 Cognos Analytics | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156. | |||||
CVE-2020-24052 | 1 Moog | 4 Exvf5c-2, Exvf5c-2 Firmware, Exvp7c2-3 and 1 more | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition (DTD) in an XML request. | |||||
CVE-2020-24590 | 1 Wso2 | 2 Api Manager, Api Microgateway | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks. |