Total
852 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22486 | 1 Ibm | 1 Tivoli Workload Scheduler | 2023-02-08 | N/A | 9.1 CRITICAL |
| IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226328. | |||||
| CVE-2022-47873 | 1 Netcad | 1 Keos | 2023-02-07 | N/A | 9.8 CRITICAL |
| Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote). | |||||
| CVE-2023-22322 | 1 Omron | 1 Cx-motion Pro | 2023-02-06 | N/A | 5.5 MEDIUM |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in OMRON CX-Motion Pro 1.4.6.013 and earlier. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Motion Pro is installed may be disclosed. | |||||
| CVE-2023-24429 | 1 Jenkins | 1 Semantic Versioning | 2023-02-03 | N/A | 9.8 CRITICAL |
| Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | |||||
| CVE-2023-24430 | 1 Jenkins | 1 Semantic Versioning | 2023-02-03 | N/A | 9.8 CRITICAL |
| Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-39135 | 1 Apache | 1 Calcite | 2023-02-03 | N/A | 9.8 CRITICAL |
| In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators. | |||||
| CVE-2019-20627 | 1 Rbsoft | 1 Autoupdater.net | 2023-02-03 | 7.5 HIGH | 9.8 CRITICAL |
| AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE. | |||||
| CVE-2019-4062 | 1 Ibm | 1 I2 Intelligent Analysis Platform | 2023-02-03 | 5.5 MEDIUM | 7.1 HIGH |
| IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 157007. | |||||
| CVE-2019-4208 | 1 Ibm | 1 Tririga Application Platform | 2023-02-03 | 5.5 MEDIUM | 7.1 HIGH |
| IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 159129. | |||||
| CVE-2018-3881 | 1 Focalscope | 1 Focalscope | 2023-02-03 | 7.5 HIGH | 9.4 CRITICAL |
| An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server that could cause an XXE, and potentially result in data compromise. | |||||
| CVE-2020-25649 | 6 Apache, Fasterxml, Fedoraproject and 3 more | 39 Iotdb, Jackson-databind, Fedora and 36 more | 2023-02-02 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. | |||||
| CVE-2023-24443 | 1 Jenkins | 1 Testcomplete Support | 2023-02-02 | N/A | 9.8 CRITICAL |
| Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-24441 | 1 Jenkins | 1 Mstest | 2023-02-02 | N/A | 9.8 CRITICAL |
| Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2019-4419 | 1 Ibm | 3 Intelligent Operations Center, Intelligent Operations Center For Emergency Management, Water Operations For Waternamics | 2023-01-31 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Intelligent Operations Center V5.1.0 through V5.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162737. | |||||
| CVE-2017-16349 | 1 Sap | 1 Business Planning And Consolidation | 2023-01-30 | 5.5 MEDIUM | 8.1 HIGH |
| An exploitable XML external entity vulnerability exists in the reporting functionality of SAP BPC. A specially crafted XML request can cause an XML external entity to be referenced, resulting in information disclosure and potential denial of service. An attacker can issue authenticated HTTP requests to trigger this vulnerability. | |||||
| CVE-2017-10617 | 1 Juniper | 1 Contrail | 2023-01-30 | 5.0 MEDIUM | 5.0 MEDIUM |
| The ifmap service that comes bundled with Contrail has an XML External Entity (XXE) vulnerability that may allow an attacker to retrieve sensitive system files. Affected releases are Juniper Networks Contrail 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N). | |||||
| CVE-2018-1845 | 3 Ibm, Linux, Microsoft | 8 Aix, Infosphere Governance Catalog, Infosphere Information Server and 5 more | 2023-01-30 | 5.5 MEDIUM | 7.1 HIGH |
| IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150905. | |||||
| CVE-2019-17637 | 2 Debian, Eclipse | 2 Debian Linux, Web Tools Platform | 2023-01-27 | 5.8 MEDIUM | 7.1 HIGH |
| In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences. | |||||
| CVE-2023-23595 | 1 Bluecatnetworks | 1 Device Registration Portal | 2023-01-24 | N/A | 7.5 HIGH |
| BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected. | |||||
| CVE-2023-22624 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2023-01-23 | N/A | 7.5 HIGH |
| Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks. | |||||