Total
852 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-42301 | 1 Veritas | 1 Netbackup | 2022-10-04 | N/A | 8.8 HIGH |
| An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) injection attack through the nbars process. | |||||
| CVE-2022-2330 | 2 Mcafee, Microsoft | 2 Data Loss Prevention Endpoint, Windows | 2022-09-30 | N/A | 6.5 MEDIUM |
| Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn't usually have access to via a carefully constructed XML file, which the DLP Agent doesn't parse correctly. | |||||
| CVE-2020-15772 | 1 Gradle | 1 Enterprise | 2022-09-29 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities (XXE), allowing a remote attacker with administrative access to perform server side request forgery. | |||||
| CVE-2022-34348 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2022-09-27 | N/A | 7.1 HIGH |
| IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017. | |||||
| CVE-2022-41241 | 1 Jenkins | 1 Rqm | 2022-09-22 | N/A | 9.1 CRITICAL |
| Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-41226 | 1 Jenkins | 1 Compuware Common Configuration | 2022-09-22 | N/A | 9.8 CRITICAL |
| Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-1700 | 1 Forcepoint | 5 Cloud Security Gateway, Data Loss Prevention, Email Security and 2 more | 2022-09-15 | N/A | 9.8 CRITICAL |
| Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security with DLP enabled, and Cloud Security Gateway prior to June 20, 2022. The XML parser in the Policy Engine was found to be improperly configured to support external entities and external DTD (Document Type Definitions), which can lead to an XXE attack. This issue affects: Forcepoint Data Loss Prevention (DLP) versions prior to 8.8.2. Forcepoint One Endpoint (F1E) with Policy Engine versions prior to 8.8.2. Forcepoint Web Security Content Gateway versions prior to 8.5.5. Forcepoint Email Security with DLP enabled versions prior to 8.5.5. Forcepoint Cloud Security Gateway prior to June 20, 2022. | |||||
| CVE-2022-32458 | 1 Digiwin | 1 Business Process Management | 2022-09-14 | N/A | 7.5 HIGH |
| Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files. | |||||
| CVE-2022-37189 | 1 Ddmal | 1 Mei2volpiano | 2022-09-09 | N/A | 7.5 HIGH |
| DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe 'xml.etree' library to parse untrusted XML input. | |||||
| CVE-2022-22835 | 1 Overit | 1 Geocall | 2022-09-02 | 3.5 LOW | 6.5 MEDIUM |
| An issue was discovered in OverIT Geocall before version 8.0. An authenticated user who has the Test Trasformazione XSL functionality enabled can exploit a XXE vulnerability to read arbitrary files from the filesystem. | |||||
| CVE-2022-2759 | 1 Deltaww | 1 Delta Robot Automation Studio | 2022-09-02 | N/A | 8.6 HIGH |
| Delta Electronics Delta Robot Automation Studio (DRAS) versions prior to 1.13.20 are affected by improper restrictions where the software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. This may allow an attacker to view sensitive documents and information on the affected host. | |||||
| CVE-2020-25020 | 2 Mpxj, Oracle | 2 Mpxj, Primavera Unifier | 2022-09-02 | 7.5 HIGH | 9.8 CRITICAL |
| MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components. | |||||
| CVE-2022-22489 | 3 Ibm, Linux, Microsoft | 3 Mq, Linux Kernel, Windows | 2022-08-22 | N/A | 9.1 CRITICAL |
| IBM MQ 8.0, (9.0, 9.1, 9.2 LTS), and (9.1 and 9.2 CD) are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226339. | |||||
| CVE-2022-2838 | 1 Eclipse | 1 Sphinx | 2022-08-18 | N/A | 5.3 MEDIUM |
| In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests. | |||||
| CVE-2020-14379 | 1 Redhat | 1 Jboss A-mq | 2022-08-17 | N/A | 5.6 MEDIUM |
| A flaw was found in Red Hat AMQ Broker in a way that a XEE attack can be done via Broker's configuration files, leading to denial of service and information disclosure. | |||||
| CVE-2020-21641 | 1 Zohocorp | 1 Manageengine Analytics Plus | 2022-08-16 | N/A | 7.5 HIGH |
| Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file. | |||||
| CVE-2022-1704 | 1 Inductiveautomation | 1 Ignition | 2022-08-11 | N/A | 9.8 CRITICAL |
| Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup. | |||||
| CVE-2021-27777 | 1 Hcltech | 1 Unica | 2022-08-05 | 5.0 MEDIUM | 7.5 HIGH |
| XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references. | |||||
| CVE-2022-27873 | 1 Autodesk | 1 Fusion 360 | 2022-08-05 | N/A | 7.8 HIGH |
| An attacker can force the victim’s device to perform arbitrary HTTP requests in WAN through a malicious SVG file being parsed by Autodesk Fusion 360’s document parser. The vulnerability exists in the application’s ‘Insert SVG’ procedure. An attacker can also leverage this vulnerability to obtain victim’s public IP and possibly other sensitive information. | |||||
| CVE-2021-42537 | 1 Visam | 1 Vbase Web-remote | 2022-08-05 | N/A | 7.5 HIGH |
| VISAM VBASE version 11.6.0.6 processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. | |||||