Total
852 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000837 | 1 Obeo | 1 Uml Designer | 2019-09-11 | 7.5 HIGH | 10.0 CRITICAL |
| UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious plugins.xml file. | |||||
| CVE-2019-16174 | 1 Limesurvey | 1 Limesurvey | 2019-09-10 | 6.8 MEDIUM | 8.8 HIGH |
| An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity. | |||||
| CVE-2019-13608 | 1 Citrix | 1 Storefront Server | 2019-09-04 | 5.0 MEDIUM | 7.5 HIGH |
| Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks. | |||||
| CVE-2018-11796 | 1 Apache | 1 Tika | 2019-09-03 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later. | |||||
| CVE-2019-15641 | 1 Webmin | 1 Webmin | 2019-08-30 | 6.8 MEDIUM | 6.5 MEDIUM |
| xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi. | |||||
| CVE-2019-14258 | 1 Zenoss | 1 Zenoss | 2019-08-30 | 5.0 MEDIUM | 7.5 HIGH |
| The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988. | |||||
| CVE-2019-13176 | 1 3cx | 1 3cx | 2019-08-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS). | |||||
| CVE-2019-13031 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2019-08-26 | 6.8 MEDIUM | 8.1 HIGH |
| LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule. | |||||
| CVE-2019-1187 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2019-08-21 | 5.0 MEDIUM | 7.5 HIGH |
| A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input, aka 'XmlLite Runtime Denial of Service Vulnerability'. | |||||
| CVE-2019-1057 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2019-08-19 | 9.3 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. | |||||
| CVE-2018-14383 | 1 Ttpsc | 1 The Scheduler | 2019-08-14 | 5.0 MEDIUM | 7.5 HIGH |
| The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. It was fixed in the versions 5.2.1 and 3.3.7 | |||||
| CVE-2017-18438 | 1 Cpanel | 1 Cpanel | 2019-08-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls (SEC-242). | |||||
| CVE-2019-1010202 | 1 Jeesite | 1 Jeesite | 2019-08-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is: sensitive information disclosure. The component is: convertToModel() function in src/main/java/com.thinkgem.jeesite/modules/act/service/ActProcessService.java. The attack vector is: network connectivity,authenticated,must upload a specially crafted xml file. The fixed version is: 4.0 and later. | |||||
| CVE-2019-10264 | 1 Ahsay | 1 Cloud Backup Suite | 2019-07-31 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE. | |||||
| CVE-2019-10266 | 1 Ahsay | 1 Cloud Backup Suite | 2019-07-31 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a URL, it is possible to read the file structure and even the content of files without authentication. | |||||
| CVE-2017-6662 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2019-07-29 | 6.0 MEDIUM | 8.0 HIGH |
| A vulnerability in the web-based user interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker read and write access to information stored in the affected system as well as perform remote code execution. The attacker must have valid user credentials. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file with malicious entries which could allow the attacker to read and write files and execute remote code within the application, aka XML Injection. Cisco Prime Infrastructure software releases 1.1 through 3.1.6 are vulnerable. Cisco EPNM software releases 1.2, 2.0, and 2.1 are vulnerable. Cisco Bug IDs: CSCvc23894 CSCvc49561. | |||||
| CVE-2019-1010268 | 1 Ladon Project | 1 Ladon | 2019-07-24 | 7.5 HIGH | 9.8 CRITICAL |
| Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call. | |||||
| CVE-2017-1000190 | 1 Simplexml Project | 1 Simplexml | 2019-07-23 | 6.4 MEDIUM | 9.1 CRITICAL |
| SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on. | |||||
| CVE-2019-7847 | 3 Adobe, Linux, Microsoft | 3 Campaign, Linux Kernel, Windows | 2019-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user. | |||||
| CVE-2019-13625 | 1 Nsa | 1 Ghidra | 2019-07-19 | 9.4 HIGH | 9.1 CRITICAL |
| NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file. | |||||