Total
852 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40439 | 1 Apache | 1 Openoffice | 2021-10-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a "Billion Laughs" entity expansion denial of service attack and exploit via crafted XML files. ODF files consist of a set of XML files. All versions of Apache OpenOffice up to 4.1.10 are subject to this issue. expat in version 4.1.11 is patched. | |||||
| CVE-2021-38298 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-14 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE. | |||||
| CVE-2021-34706 | 1 Cisco | 1 Identity Services Engine | 2021-10-14 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the web application to perform arbitrary HTTP requests on behalf of the attacker. | |||||
| CVE-2021-41098 | 1 Nokogiri | 1 Nokogiri | 2021-10-06 | 5.0 MEDIUM | 7.5 HIGH |
| Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected. | |||||
| CVE-2021-35201 | 1 Netscout | 1 Ngeniusone | 2021-10-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity (XXE) attacks. | |||||
| CVE-2021-29831 | 1 Ibm | 2 Jazz For Service Management, Tivoli Netcool\/omnibus Gui | 2021-09-29 | 5.5 MEDIUM | 8.1 HIGH |
| IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 204775. | |||||
| CVE-2021-40356 | 1 Siemens | 1 Teamcenter Visualization | 2021-09-28 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. | |||||
| CVE-2021-30137 | 1 Axiossystems | 1 Assyst | 2021-09-27 | 6.4 MEDIUM | 8.2 HIGH |
| Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. The application allows users to send JSON or XML data to the server. It was possible to inject malicious XML data through several access points. | |||||
| CVE-2021-39239 | 1 Apache | 1 Jena | 2021-09-27 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server. | |||||
| CVE-2021-38555 | 1 Apache | 1 Any23 | 2021-09-23 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. | |||||
| CVE-2020-6590 | 1 Forcepoint | 3 Data Loss Prevention, Email Security, Web Security Content Gateway | 2021-09-16 | 5.0 MEDIUM | 7.5 HIGH |
| Forcepoint Web Security Content Gateway versions prior to 8.5.4 improperly process XML input, leading to information disclosure. | |||||
| CVE-2021-3055 | 1 Paloaltonetworks | 1 Pan-os | 2021-09-15 | 7.5 HIGH | 6.5 MEDIUM |
| An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that causes the service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.6. This issue does not affect Prisma Access. | |||||
| CVE-2021-34436 | 1 Eclipse | 1 Theia | 2021-09-14 | 7.5 HIGH | 9.8 CRITICAL |
| In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default. | |||||
| CVE-2016-5851 | 1 Python-openxml Project | 1 Python-docx | 2021-09-09 | 6.8 MEDIUM | 8.8 HIGH |
| python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document. | |||||
| CVE-2021-21680 | 1 Jenkins | 1 Nested View | 2021-09-07 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-34823 | 1 On24 | 1 Screenshare | 2021-08-31 | 6.4 MEDIUM | 9.1 CRITICAL |
| The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. This allows unauthenticated remote users to retrieve files accessible to the logged-on macOS user. When a remote user sends a crafted HTTP request to the server, it triggers a code path that will download a configuration file from a specified remote machine over HTTP. There is an XXE flaw in processing of this configuration file that allows reading local (to macOS) files and uploading them to remote machines. | |||||
| CVE-2021-27604 | 1 Sap | 1 Netweaver Process Integration | 2021-08-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note. | |||||
| CVE-2021-27741 | 1 Hcltechsw | 1 Hcl Commerce | 2021-08-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| " Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection" | |||||
| CVE-2020-18705 | 1 Quokka Project | 1 Quokka | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'. | |||||
| CVE-2020-18703 | 1 Quokka Project | 1 Quokka | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'. | |||||