Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-611
Total 852 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-1000820 1 Neo4j 1 Awesome Procedures On Cyper 2023-01-23 7.5 HIGH 10.0 CRITICAL
neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 45bc09c.
CVE-2021-4311 1 Talend 1 Open Studio 2023-01-12 N/A 9.8 CRITICAL
A vulnerability classified as problematic was found in Talend Open Studio for MDM. This vulnerability affects unknown code of the component XML Handler. The manipulation leads to xml external entity reference. The name of the patch is 31d442b9fb1d518128fd18f6e4d54e06c3d67793. It is recommended to apply a patch to fix this issue. VDB-217666 is the identifier assigned to this vulnerability.
CVE-2015-10029 1 Simplexrd Project 1 Simplexrd 2023-01-12 N/A 9.8 CRITICAL
A vulnerability classified as problematic was found in kelvinmo simplexrd up to 3.1.0. This vulnerability affects unknown code of the file simplexrd/simplexrd.class.php. The manipulation leads to xml external entity reference. Upgrading to version 3.1.1 is able to address this issue. The name of the patch is 4c9f2e028523ed705b555eca2c18c64e71f1a35d. It is recommended to upgrade the affected component. VDB-217630 is the identifier assigned to this vulnerability.
CVE-2016-15011 1 E-contract 1 Dssp 2023-01-12 N/A 9.8 CRITICAL
A vulnerability classified as problematic was found in e-Contract dssp up to 1.3.1. Affected by this vulnerability is the function checkSignResponse of the file dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.2 is able to address this issue. The name of the patch is ec4238349691ec66dd30b416ec6eaab02d722302. It is recommended to upgrade the affected component. The identifier VDB-217549 was assigned to this vulnerability.
CVE-2020-36641 1 Axmlrpc Project 1 Axmlrpc 2023-01-11 N/A 9.8 CRITICAL
A vulnerability classified as problematic was found in gturri aXMLRPC up to 1.12.0. This vulnerability affects the function ResponseParser of the file src/main/java/de/timroes/axmlrpc/ResponseParser.java. The manipulation leads to xml external entity reference. Upgrading to version 1.12.1 is able to address this issue. The name of the patch is ad6615b3ec41353e614f6ea5fdd5b046442a832b. It is recommended to upgrade the affected component. VDB-217450 is the identifier assigned to this vulnerability.
CVE-2020-36640 1 Bonitasoft 1 Webservice Connector 2023-01-11 N/A 9.8 CRITICAL
A vulnerability, which was classified as problematic, was found in bonitasoft bonita-connector-webservice up to 1.3.0. This affects the function TransformerConfigurationException of the file src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.1 is able to address this issue. The name of the patch is a12ad691c05af19e9061d7949b6b828ce48815d5. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217443.
CVE-2017-20151 1 Itextpdf 1 Rups 2023-01-09 N/A 9.8 CRITICAL
A vulnerability classified as problematic was found in iText RUPS. This vulnerability affects unknown code of the file src/main/java/com/itextpdf/rups/model/XfaFile.java. The manipulation leads to xml external entity reference. The name of the patch is ac5590925874ef810018a6b60fec216eee54fb32. It is recommended to apply a patch to fix this issue. VDB-217054 is the identifier assigned to this vulnerability.
CVE-2022-41967 1 Hypera 1 Dragonfly 2023-01-06 N/A 7.5 HIGH
Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML `SNAPSHOT` versions are being resolved, this vulnerability may be avoided by not trying to resolve `SNAPSHOT` versions.
CVE-2021-4295 1 Healthit 1 Code-validator-api 2023-01-06 N/A 9.8 CRITICAL
A vulnerability classified as problematic was found in ONC code-validator-api up to 1.0.30. This vulnerability affects the function vocabularyValidationConfigurations of the file src/main/java/org/sitenv/vocabularies/configuration/CodeValidatorApiConfiguration.java of the component XML Handler. The manipulation leads to xml external entity reference. Upgrading to version 1.0.31 is able to address this issue. The name of the patch is fbd8ea121755a2d3d116b13f235bc8b61d8449af. It is recommended to upgrade the affected component. VDB-217018 is the identifier assigned to this vulnerability.
CVE-2022-4818 1 Talend 1 Open Studio For Mdm 2023-01-06 N/A 4.3 MEDIUM
A vulnerability was found in Talend Open Studio for MDM. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file org.talend.mdm.core/src/com/amalto/core/storage/SystemStorageWrapper.java. The manipulation leads to xml external entity reference. Upgrading to version 20221220_1938 is able to address this issue. The name of the patch is 95590db2ad6a582c371273ceab1a73ad6ed47853. It is recommended to upgrade the affected component. The identifier VDB-216997 was assigned to this vulnerability.
CVE-2022-4607 1 Tum 1 Ogc Web Feature Service 2023-01-06 N/A 9.8 CRITICAL
A vulnerability was found in 3D City Database OGC Web Feature Service up to 5.2.0. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to xml external entity reference. Upgrading to version 5.2.1 is able to address this issue. The name of the patch is 246f4e2a97ad81491c00a7ed72ce5e7c7f75050a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216215.
CVE-2022-47514 1 Xml-rpc.net Project 1 Xml-rpc.net 2022-12-22 N/A 8.8 HIGH
An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.
CVE-2022-25628 1 Broadcom 1 Symantec Identity Governance And Administration 2022-12-21 N/A 8.8 HIGH
An authenticated user can perform XML eXternal Entity injection in Management Console in Symantec Identity Manager 14.4
CVE-2022-37911 1 Arubanetworks 2 Arubaos, Sd-wan 2022-12-13 N/A 5.5 MEDIUM
Due to improper restrictions on XML entities multiple vulnerabilities exist in the command line interface of ArubaOS. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition.
CVE-2020-8256 1 Pulsesecure 1 Pulse Connect Secure 2022-12-13 4.0 MEDIUM 4.9 MEDIUM
A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability.
CVE-2020-13692 5 Debian, Fedoraproject, Netapp and 2 more 5 Debian Linux, Fedora, Steelstore Cloud Integrated Storage and 2 more 2022-12-13 6.8 MEDIUM 7.7 HIGH
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
CVE-2022-46682 1 Jenkins 1 Plot 2022-12-12 N/A 9.8 CRITICAL
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-46827 1 Jetbrains 1 Intellij Idea 2022-12-12 N/A 5.5 MEDIUM
In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible.
CVE-2022-45326 1 Kwoksys 1 Information Server 2022-12-08 N/A 4.9 MEDIUM
An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.
CVE-2020-24379 3 Canonical, Debian, Yaws 3 Ubuntu Linux, Debian Linux, Yaws 2022-12-06 6.8 MEDIUM 9.8 CRITICAL
WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.