Total
1076 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-11758 | 1 Apache | 1 Cayenne | 2024-09-16 | N/A |
| This affects Apache Cayenne 4.1.M1, 3.2.M1, 4.0.M2 to 4.0.M5, 4.0.B1, 4.0.B2, 4.0.RC1, 3.1, 3.1.1, 3.1.2. CayenneModeler is a desktop GUI tool shipped with Apache Cayenne and intended for editing Cayenne ORM models stored as XML files. If an attacker tricks a user of CayenneModeler into opening a malicious XML file, the attacker will be able to instruct the XML parser built into CayenneModeler to transfer files from a local machine to a remote machine controlled by the attacker. The cause of the issue is XML parser processing XML External Entity (XXE) declarations included in XML. The vulnerability is addressed in Cayenne by disabling XXE processing in all operations that require XML parsing. | ||||
| CVE-2020-4377 | 1 Ibm | 1 Cognos Analytics | 2024-09-16 | 9.1 Critical |
| IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156. | ||||
| CVE-2017-1666 | 1 Ibm | 1 Security Key Lifecycle Manager | 2024-09-16 | N/A |
| IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 133540. | ||||
| CVE-2018-1000198 | 1 Jenkins | 1 Black Duck Hub | 2024-09-16 | N/A |
| A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XML document. | ||||
| CVE-2021-43990 | 1 Fanuc | 1 Roboguide | 2024-09-16 | 6.1 Medium |
| The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call. | ||||
| CVE-2022-31775 | 1 Ibm | 1 Datapower Gateway | 2024-09-16 | 9.1 Critical |
| IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359. | ||||
| CVE-2022-36773 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-09-16 | 8.1 High |
| IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233571. | ||||
| CVE-2021-27777 | 1 Hcltech | 1 Unica | 2024-09-16 | 7.5 High |
| XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references. | ||||
| CVE-2018-8027 | 1 Apache | 1 Camel | 2024-09-16 | N/A |
| Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor. | ||||
| CVE-2020-4481 | 1 Ibm | 1 Urbancode Deploy | 2024-09-16 | 8.2 High |
| IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848. | ||||
| CVE-2022-23170 | 1 Sysaid | 1 Okta Sso | 2024-09-16 | 5.9 Medium |
| SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks. | ||||
| CVE-2018-1307 | 1 Apache | 1 Juddi | 2024-09-16 | N/A |
| In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5. | ||||
| CVE-2017-12620 | 1 Apache | 1 Opennlp | 2024-09-16 | N/A |
| When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected. | ||||
| CVE-2022-22489 | 3 Ibm, Linux, Microsoft | 3 Mq, Linux Kernel, Windows | 2024-09-16 | 9.1 Critical |
| IBM MQ 8.0, (9.0, 9.1, 9.2 LTS), and (9.1 and 9.2 CD) are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226339. | ||||
| CVE-2017-5828 | 1 Hp | 1 Aruba Clearpass Policy Manager | 2024-09-16 | N/A |
| An arbitrary command execution vulnerability in HPE Aruba ClearPass Policy Manager version 6.6.x was found. | ||||
| CVE-2019-18943 | 1 Microfocus | 1 Solutions Business Manager | 2024-09-16 | 6.1 Medium |
| Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations. | ||||
| CVE-2018-3881 | 1 Focalscope | 1 Focalscope | 2024-09-16 | 9.4 Critical |
| An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server that could cause an XXE, and potentially result in data compromise. | ||||
| CVE-2018-20298 | 1 S3browser | 1 S3 Browser | 2024-09-16 | N/A |
| S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a malicious server via the S3 protocol. | ||||
| CVE-2020-5323 | 1 Dell | 2 Emc Openmanage Enterprise, Emc Openmanage Enterprise-modular | 2024-09-16 | 5.4 Medium |
| Dell EMC OpenManage Enterprise (OME) versions prior to 3.2 and OpenManage Enterprise-Modular (OME-M) versions prior to 1.10.00 contain an injection vulnerability. A remote authenticated malicious user with low privileges could potentially exploit this vulnerability to gain access to sensitive information or cause denial-of-service. | ||||
| CVE-2019-1003015 | 1 Jenkins | 1 Job Import | 2024-09-16 | N/A |
| An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc. | ||||