Total
1107 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-49535 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2025-01-15 | 6.3 Medium |
| Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that allows an attacker to provide malicious XML input containing a reference to an external entity, leading to unauthorized read access to the file system. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document. | ||||
| CVE-2023-32706 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-01-15 | 7.7 High |
| On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. | ||||
| CVE-2024-49064 | 1 Microsoft | 1 Sharepoint Server | 2025-01-15 | 6.5 Medium |
| Microsoft SharePoint Information Disclosure Vulnerability | ||||
| CVE-2024-12298 | 2025-01-14 | 5.5 Medium | ||
| We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer. | ||||
| CVE-2024-46603 | 2025-01-09 | 7.5 High | ||
| An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload. | ||||
| CVE-2024-46602 | 2025-01-09 | 7.5 High | ||
| An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. An XML External Entity (XXE) vulnerability may allow an attacker to cause a Denial of Service (DoS) via a crafted XML payload. | ||||
| CVE-2024-30043 | 1 Microsoft | 1 Sharepoint Server | 2025-01-08 | 6.5 Medium |
| Microsoft SharePoint Server Information Disclosure Vulnerability | ||||
| CVE-2023-34411 | 1 Xml Library Project | 1 Xml Library | 2025-01-08 | 7.5 High |
| The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9. | ||||
| CVE-2023-46590 | 1 Siemens | 1 Siemens Opc Ua Modeling Editor | 2025-01-08 | 7.5 High |
| A vulnerability has been identified in Siemens OPC UA Modelling Editor (SiOME) (All versions < V2.8). Affected products suffer from a XML external entity (XXE) injection vulnerability. This vulnerability could allow an attacker to interfere with an application's processing of XML data and read arbitrary files in the system. | ||||
| CVE-2023-24470 | 1 Microfocus | 1 Arcsight Logger | 2025-01-06 | 9.1 Critical |
| Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0. | ||||
| CVE-2023-29498 | 1 Fujielectric | 1 Frenic Rhc Loader | 2025-01-03 | 5.5 Medium |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. If a user opens a specially crafted project file, sensitive information on the system where the affected product is installed may be disclosed. | ||||
| CVE-2024-56324 | 2025-01-03 | N/A | ||
| GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control. | ||||
| CVE-2024-56322 | 2025-01-03 | N/A | ||
| GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control. | ||||
| CVE-2024-55081 | 2025-01-02 | 9.8 Critical | ||
| An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input. | ||||
| CVE-2022-34716 | 2 Microsoft, Redhat | 5 .net, .net Core, Powershell and 2 more | 2025-01-02 | 5.9 Medium |
| .NET Spoofing Vulnerability | ||||
| CVE-2024-56356 | 1 Jetbrains | 1 Teamcity | 2025-01-02 | 5.9 Medium |
| In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack | ||||
| CVE-2023-36419 | 1 Microsoft | 1 Azure Hdinsights | 2025-01-01 | 8.8 High |
| Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability | ||||
| CVE-2023-35389 | 1 Microsoft | 1 Dynamics 365 | 2025-01-01 | 6.5 Medium |
| Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability | ||||
| CVE-2024-40896 | 2024-12-24 | 9.1 Critical | ||
| In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible. | ||||
| CVE-2021-22501 | 2024-12-20 | N/A | ||
| Improper Restriction of XML External Entity Reference vulnerability in OpenText™ Operations Bridge Manager allows Input Data Manipulation. The vulnerability could be exploited to confidential information This issue affects Operations Bridge Manager: 2017.05, 2017.11, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10. | ||||