Total
852 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000829 | 1 Anyplace Project | 1 Anyplace | 2019-02-07 | 6.8 MEDIUM | 9.0 CRITICAL |
| Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 80359b4. | |||||
| CVE-2018-1000840 | 1 Processing | 1 Processing | 2019-02-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document. | |||||
| CVE-2018-20233 | 1 Atlassian | 1 Universal Plugin Manager | 2019-02-06 | 5.5 MEDIUM | 6.5 MEDIUM |
| The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR. | |||||
| CVE-2018-15362 | 1 Ge | 1 Cimplicity | 2019-02-06 | 6.4 MEDIUM | 9.1 CRITICAL |
| XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0 | |||||
| CVE-2018-7063 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2019-02-05 | 6.8 MEDIUM | 8.1 HIGH |
| In Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts. | |||||
| CVE-2018-20298 | 1 S3browser | 1 S3 Browser | 2019-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a malicious server via the S3 protocol. | |||||
| CVE-2018-20733 | 6 Hpe, Ibm, Linux and 3 more | 6 Hp-ux Ipfilter, Aix, Linux Kernel and 3 more | 2019-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| BI Web Services in SAS Web Infrastructure Platform before 9.4M6 allows XXE. | |||||
| CVE-2018-7837 | 1 Schneider-electric | 1 Iiot Monior | 2019-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| An Improper Restriction of XML External Entity Reference ('XXE') vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents outside of the intended sphere of control, causing the software to embed incorrect documents into its output and expose restricted information. | |||||
| CVE-2018-19244 | 1 Charlesproxy | 1 Charles | 2019-01-31 | 5.0 MEDIUM | 8.6 HIGH |
| An XML External Entity (XXE) vulnerability exists in the Charles 4.2.7 import/export setup option. If a user imports a "Charles Settings.xml" file from an attacker, an intranet network may be accessed and information may be leaked. | |||||
| CVE-2018-17186 | 1 Apache | 1 Syncope | 2019-01-31 | 6.5 MEDIUM | 7.2 HIGH |
| An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution. | |||||
| CVE-2019-5748 | 1 Traccar | 1 Server | 2019-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks. | |||||
| CVE-2018-18980 | 1 Zohocorp | 2 Manageengine Network Configuration Manager, Manageengine Opmanager | 2019-01-30 | 5.0 MEDIUM | 7.5 HIGH |
| An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server. | |||||
| CVE-2018-16166 | 1 Jpcert | 1 Logontracer | 2019-01-25 | 6.8 MEDIUM | 8.8 HIGH |
| LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | |||||
| CVE-2018-19371 | 1 Sdl | 1 Web Content Manager | 2019-01-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| The SaveUserSettings service in Content Manager in SDL Web 8.5.0 has an XXE Vulnerability that allows reading sensitive files from the system. | |||||
| CVE-2018-20000 | 1 Apereo | 1 Bw-webdav | 2019-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java. | |||||
| CVE-2018-20318 | 1 Wxjava Project | 1 Wxjava | 2019-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. | |||||
| CVE-2019-5312 | 1 Wxjava Project | 1 Wxjava | 2019-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in weixin-java-tools v3.3.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. NOTE: this issue exists because of an incomplete fix for CVE-2018-20318. | |||||
| CVE-2018-1000821 | 1 Micromathematics Project | 1 Micromathematics | 2019-01-08 | 7.5 HIGH | 10.0 CRITICAL |
| MicroMathematics version before commit 5c05ac8 contains a XML External Entity (XXE) vulnerability in SMathStudio files that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted SMathStudio files. This vulnerability appears to have been fixed in after commit 5c05ac8. | |||||
| CVE-2018-1000822 | 1 Codelibs | 1 Fess | 2019-01-08 | 7.5 HIGH | 10.0 CRITICAL |
| codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b. | |||||
| CVE-2018-1000825 | 1 Freecol | 1 Freecol | 2019-01-08 | 7.5 HIGH | 10.0 CRITICAL |
| FreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Freecol file. | |||||