Total
852 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-45121 | 2023-03-22 | N/A | N/A | ||
Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | |||||
CVE-2022-46300 | 2023-03-22 | N/A | N/A | ||
Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | |||||
CVE-2022-41696 | 2023-03-22 | N/A | N/A | ||
Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | |||||
CVE-2022-46286 | 2023-03-22 | N/A | N/A | ||
Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | |||||
CVE-2022-45468 | 2023-03-22 | N/A | N/A | ||
Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | |||||
CVE-2018-25082 | 2023-03-21 | N/A | N/A | ||
A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The name of the patch is e54abadc777715b6dcb545c13214d1dea63df6c9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223403. | |||||
CVE-2023-26461 | 1 Sap | 1 Netweaver Enterprise Portal | 2023-03-21 | N/A | 4.9 MEDIUM |
SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges. | |||||
CVE-2023-27874 | 2023-03-21 | N/A | N/A | ||
IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845. | |||||
CVE-2023-1288 | 1 3ds | 1 Enovia Live Collaboration | 2023-03-21 | N/A | 7.5 HIGH |
An XML External Entity injection (XXE) vulnerability in ENOVIA Live Collaboration V6R2013xE allows an attacker to read local files on the server. | |||||
CVE-2022-45588 | 1 Talend | 1 Remote Engine Gen 2 | 2023-03-15 | N/A | 9.8 CRITICAL |
All versions before R2022-09 of Talend's Remote Engine Gen 2 are potentially vulnerable to XML External Entity (XXE) type of attacks. Users should download the R2022-09 release or later and use it in place of the previous version. Talend Remote Engine Gen 1 and Talend Cloud Engine for Design are not impacted. This XXE vulnerability could only be exploited by someone with the appropriate rights to edit pipelines on the Talend platform. It could not be triggered remotely or by other user input. | |||||
CVE-2023-27476 | 1 Osgeo | 1 Owslib | 2023-03-15 | N/A | 7.5 HIGH |
OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details. | |||||
CVE-2023-27480 | 1 Xwiki | 1 Xwiki | 2023-03-14 | N/A | 7.7 HIGH |
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch `e3527b98fd` manually. | |||||
CVE-2023-26043 | 1 Osgeo | 1 Geonode | 2023-03-08 | N/A | 6.5 MEDIUM |
GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been patched in version 4.0.3. | |||||
CVE-2022-40705 | 1 Apache | 1 Soap | 2023-03-07 | N/A | 7.5 HIGH |
** UNSUPPORTED WHEN ASSIGNED ** An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
CVE-2023-24189 | 1 Bstek | 1 Urule | 2023-03-06 | N/A | 9.8 CRITICAL |
An XML External Entity (XXE) vulnerability in urule v2.1.7 allows attackers to execute arbitrary code via uploading a crafted XML file to /urule/common/saveFile. | |||||
CVE-2019-13990 | 4 Apache, Netapp, Oracle and 1 more | 30 Tomee, Active Iq Unified Manager, Cloud Secure Agent and 27 more | 2023-03-03 | 7.5 HIGH | 9.8 CRITICAL |
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. | |||||
CVE-2023-20855 | 1 Vmware | 2 Vrealize Automation, Vrealize Orchestrator | 2023-03-03 | N/A | 8.8 HIGH |
VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges. | |||||
CVE-2015-10082 | 1 Libimobiledevice | 1 Libplist | 2023-03-02 | N/A | 9.8 CRITICAL |
A vulnerability classified as problematic has been found in UIKit0 libplist 1.12. This affects the function plist_from_xml of the file src/xplist.c of the component XML Handler. The manipulation leads to xml external entity reference. The name of the patch is c086cb139af7c82845f6d565e636073ff4b37440. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-221499. | |||||
CVE-2023-26267 | 1 Php-saml-sp Project | 1 Php-saml-sp | 2023-03-02 | N/A | 6.5 MEDIUM |
php-saml-sp before 1.1.1 and 2.x before 2.1.1 allows reading arbitrary files as the webserver user because resolving XML external entities was silently enabled via \LIBXML_DTDLOAD | \LIBXML_DTDATTR. | |||||
CVE-2016-15026 | 1 Dd-plist Project | 1 Dd-plist | 2023-03-01 | N/A | 7.8 HIGH |
A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address this issue. The name of the patch is 8c954e8d9f6f6863729e50105a8abf3f87fff74c. It is recommended to upgrade the affected component. VDB-221486 is the identifier assigned to this vulnerability. |