Total
852 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10991 | 1 Mulesoft | 1 Aplkit | 2020-03-31 | 7.5 HIGH | 9.8 CRITICAL |
| Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java | |||||
| CVE-2020-10990 | 1 Accenture | 1 Mercury | 2020-03-31 | 7.5 HIGH | 9.8 CRITICAL |
| An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component. | |||||
| CVE-2020-10992 | 1 Azkaban Project | 1 Azkaban | 2020-03-31 | 7.5 HIGH | 9.8 CRITICAL |
| Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java. | |||||
| CVE-2020-10993 | 1 Osmand | 1 Osmand | 2020-03-31 | 6.4 MEDIUM | 9.1 CRITICAL |
| Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java. | |||||
| CVE-2020-2171 | 1 Jenkins | 1 Rapiddeploy | 2020-03-30 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-10799 | 1 Svglib Project | 1 Svglib | 2020-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call. | |||||
| CVE-2019-20191 | 1 Sync | 3 Oxygen Xml Author, Oxygen Xml Developer, Oxygen Xml Editor | 2020-03-20 | 5.0 MEDIUM | 7.5 HIGH |
| Oxygen XML Editor 21.1.1 allows XXE to read any file. | |||||
| CVE-2018-8010 | 1 Apache | 1 Solr | 2020-03-20 | 2.1 LOW | 5.5 MEDIUM |
| This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr's ResourceLoader); usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs. | |||||
| CVE-2020-9044 | 1 Johnsoncontrols | 20 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Lonworks Control Server and 17 more | 2020-03-11 | 6.4 MEDIUM | 9.1 CRITICAL |
| XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1. | |||||
| CVE-2020-2144 | 1 Jenkins | 1 Rundeck | 2020-03-10 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2015-7968 | 1 Sap | 1 Netweaver Application Server | 2020-03-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| nwbc_ext2int in SAP NetWeaver Application Server before Security Note 2183189 allows XXE attacks for local file inclusion via the sap/bc/ui2/nwbc/nwbc_ext2int/ URI. | |||||
| CVE-2020-2138 | 1 Jenkins | 1 Cobertura | 2020-03-10 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2019-6194 | 1 Lenovo | 1 Xclarity Administrator | 2020-02-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow information disclosure. | |||||
| CVE-2020-1693 | 1 Redhat | 1 Spacewalk | 2020-02-20 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server. | |||||
| CVE-2020-6187 | 1 Sap | 1 Netweaver Guided Procedures | 2020-02-19 | 4.0 MEDIUM | 4.9 MEDIUM |
| SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service. | |||||
| CVE-2020-1975 | 1 Paloaltonetworks | 1 Pan-os | 2020-02-18 | 6.5 MEDIUM | 8.8 HIGH |
| Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation. This issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.12 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.6. This issue does not affect PAN-OS 7.1, PAN-OS 8.0, or PAN-OS 9.1 or later versions. | |||||
| CVE-2017-9458 | 1 Paloaltonetworks | 1 Pan-os | 2020-02-17 | 7.5 HIGH | 9.8 CRITICAL |
| XML external entity (XXE) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows remote attackers to obtain sensitive information, cause a denial of service, or conduct server-side request forgery (SSRF) attacks via unspecified vectors. | |||||
| CVE-2020-2120 | 1 Jenkins | 1 Fitnesse | 2020-02-14 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-2115 | 1 Jenkins | 1 Nunit | 2020-02-14 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2014-2052 | 1 Owncloud | 1 Owncloud | 2020-02-12 | 7.5 HIGH | 9.8 CRITICAL |
| Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. | |||||