Vulnerabilities (CVE)

Filtered by vendor Dom4j Project Subscribe
Total 2 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-10683 5 Canonical, Dom4j Project, Netapp and 2 more 34 Ubuntu Linux, Dom4j, Oncommand Api Services and 31 more 2021-10-20 7.5 HIGH 9.8 CRITICAL
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
CVE-2018-1000632 5 Debian, Dom4j Project, Netapp and 2 more 15 Debian Linux, Dom4j, Oncommand Workflow Automation and 12 more 2021-09-07 5.0 MEDIUM 7.5 HIGH
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.