Total
1076 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-16792 | 1 Solarwinds | 1 Sftp\/scp Server | 2024-08-05 | 9.1 Critical |
| SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data. | ||||
| CVE-2018-16303 | 1 Tracker-software | 1 Pdf-xchange Editor | 2024-08-05 | N/A |
| PDF-XChange Editor through 7.0.326.1 allows remote attackers to cause a denial of service (resource consumption) via a crafted x:xmpmeta structure, a related issue to CVE-2003-1564. | ||||
| CVE-2018-16252 | 1 Fspro | 1 Event Log Explorer | 2024-08-05 | N/A |
| FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML External Entity Injection. | ||||
| CVE-2018-16166 | 1 Jpcert | 1 Logontracer | 2024-08-05 | N/A |
| LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | ||||
| CVE-2018-15805 | 1 Accusoft | 1 Prizmdoc | 2024-08-05 | N/A |
| Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption). | ||||
| CVE-2018-15362 | 1 Ge | 1 Cimplicity | 2024-08-05 | N/A |
| XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0 | ||||
| CVE-2018-15506 | 1 Bubblesoftapps | 1 Bubbleupnp | 2024-08-05 | N/A |
| In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | ||||
| CVE-2018-15531 | 1 Javamelody Project | 1 Javamelody | 2024-08-05 | N/A |
| JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java. | ||||
| CVE-2018-14720 | 4 Debian, Fasterxml, Oracle and 1 more | 21 Debian Linux, Jackson-databind, Banking Platform and 18 more | 2024-08-05 | N/A |
| FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. | ||||
| CVE-2018-14473 | 1 Ocsinventory-ng | 1 Ocsinventory Ng | 2024-08-05 | N/A |
| OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service. | ||||
| CVE-2018-14485 | 1 Blogengine | 1 Blogengine.net | 2024-08-05 | N/A |
| BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd. | ||||
| CVE-2018-14383 | 1 Ttpsc | 1 The Scheduler | 2024-08-05 | N/A |
| The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. It was fixed in the versions 5.2.1 and 3.3.7 | ||||
| CVE-2018-14065 | 1 Phpoffice Project | 1 Common | 2024-08-05 | N/A |
| XMLReader.php in PHPOffice Common before 0.2.9 allows XXE. | ||||
| CVE-2018-13417 | 1 Vuze | 1 Bittorrent Client | 2024-08-05 | N/A |
| In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Vuze, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | ||||
| CVE-2018-13415 | 1 Plex | 1 Media Server | 2024-08-05 | N/A |
| In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Plex, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | ||||
| CVE-2018-13439 | 1 Tencent | 1 Wechat Pay | 2024-08-05 | N/A |
| WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL. | ||||
| CVE-2018-13416 | 1 Spirton | 1 Universal Media Server | 2024-08-05 | N/A |
| In Universal Media Server (UMS) 7.1.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running UMS, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | ||||
| CVE-2018-12585 | 1 Opcfoundation | 2 Ua-.net-legacy, Ua-java | 2024-08-05 | N/A |
| An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allow remote attackers to trigger a denial of service. | ||||
| CVE-2018-12544 | 2 Eclipse, Redhat | 2 Vert.x, Openshift Application Runtimes | 2024-08-05 | N/A |
| In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema. | ||||
| CVE-2018-11788 | 1 Apache | 1 Karaf | 2024-08-05 | N/A |
| Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases. | ||||