Total
852 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23031 | 1 F5 | 3 Big-ip Advanced Web Application Firewall, Big-ip Application Security Manager, Big-ip Fraud Protection Service | 2022-02-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2020-7572 | 1 Schneider-electric | 1 Webreports | 2022-01-31 | 6.5 MEDIUM | 8.8 HIGH |
| A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary XML code and obtain disclosure of confidential data, denial of service, server side request forgery due to improper configuration of the XML parser. | |||||
| CVE-2018-7783 | 1 Schneider-electric | 1 Somachine Basic | 2022-01-31 | 5.0 MEDIUM | 7.5 HIGH |
| Schneider Electric SoMachine Basic prior to v1.6 SP1 suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project/template file. | |||||
| CVE-2020-4876 | 2 Ibm, Microsoft | 2 Cognos Controller, Windows | 2022-01-27 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190839. | |||||
| CVE-2020-4875 | 2 Ibm, Microsoft | 2 Cognos Controller, Windows | 2022-01-27 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190838. | |||||
| CVE-2022-0219 | 1 Jadx Project | 1 Jadx | 2022-01-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2. | |||||
| CVE-2022-0239 | 1 Stanford | 1 Corenlp | 2022-01-21 | 7.5 HIGH | 9.8 CRITICAL |
| corenlp is vulnerable to Improper Restriction of XML External Entity Reference | |||||
| CVE-2022-0198 | 1 Stanford | 1 Corenlp | 2022-01-19 | 5.8 MEDIUM | 7.1 HIGH |
| corenlp is vulnerable to Improper Restriction of XML External Entity Reference | |||||
| CVE-2021-40722 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2022-01-19 | 7.5 HIGH | 9.8 CRITICAL |
| AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE. | |||||
| CVE-2021-42560 | 1 Mitre | 1 Caldera | 2022-01-14 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.). | |||||
| CVE-2021-44028 | 1 Quest | 1 Kace Desktop Authority | 2022-01-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| XXE can occur in Quest KACE Desktop Authority before 11.2 because the log4net configuration file might be controlled by an attacker, a related issue to CVE-2018-1285. | |||||
| CVE-2019-19032 | 1 Xmlblueprint | 1 Xmlblueprint | 2022-01-01 | 5.5 MEDIUM | 8.1 HIGH |
| XMLBlueprint through 16.191112 is affected by XML External Entity Injection. The impact is: Arbitrary File Read when an XML File is validated. The component is: XML Validate function. The attack vector is: Specially crafted XML payload. | |||||
| CVE-2019-19031 | 1 Edit-xml | 1 Easy Xml Editor | 2022-01-01 | 5.5 MEDIUM | 8.1 HIGH |
| Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload. | |||||
| CVE-2021-45096 | 1 Knime | 1 Knime Analytics Platform | 2021-12-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730. | |||||
| CVE-2021-3836 | 1 Dbeaver | 1 Dbeaver | 2021-12-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| dbeaver is vulnerable to Improper Restriction of XML External Entity Reference | |||||
| CVE-2019-13358 | 1 Opencats | 1 Opencats | 2021-12-14 | 5.0 MEDIUM | 7.5 HIGH |
| lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format. | |||||
| CVE-2021-44556 | 1 Kb | 1 Digger | 2021-12-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| National Library of the Netherlands digger < 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS. | |||||
| CVE-2021-44557 | 1 Kb | 1 Multiner | 2021-12-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| National Library of the Netherlands multiNER <= c0440948057afc6e3d6b4903a7c05e666b94a3bc is affected by an XML External Entity (XXE) vulnerability in multiNER/ner.py. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS. | |||||
| CVE-2021-42776 | 1 Cloverdx | 1 Cloverdx | 2021-12-02 | 6.8 MEDIUM | 7.7 HIGH |
| CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import. | |||||
| CVE-2020-4300 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2021-12-01 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 176607. | |||||