Total
74 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-10868 | 1 Redhat | 1 Certification | 2024-08-05 | 7.5 High |
| redhat-certification 7 does not properly restrict the number of recursive definitions of entities in XML documents, allowing an unauthenticated user to run a "Billion Laugh Attack" by replying to XMLRPC methods when getting the status of an host. | ||||
| CVE-2019-15903 | 3 Libexpat Project, Python, Redhat | 5 Libexpat, Python, Enterprise Linux and 2 more | 2024-08-05 | 7.5 High |
| In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. | ||||
| CVE-2019-15160 | 1 Kbrw | 1 Sweet Xml | 2024-08-05 | N/A |
| The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD. | ||||
| CVE-2019-12401 | 1 Apache | 1 Solr | 2024-08-04 | 7.5 High |
| Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs. | ||||
| CVE-2019-5442 | 1 Pippo | 1 Pippo | 2024-08-04 | 7.5 High |
| XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will continue to be exhausted and will affect other processes on the system. | ||||
| CVE-2019-5427 | 4 Fedoraproject, Mchange, Oracle and 1 more | 12 Fedora, C3p0, Communications Ip Service Activator and 9 more | 2024-08-04 | 7.5 High |
| c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. | ||||
| CVE-2020-24665 | 1 Hitachi | 1 Vantara Pentaho | 2024-08-04 | 6.5 Medium |
| The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains an XML Entity Expansion injection vulnerability, which allows an authenticated remote users to trigger a denial of service (DoS) condition. Specifically, the vulnerability lies in the 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, >= 8.3.0.0 GA | ||||
| CVE-2020-24590 | 1 Wso2 | 2 Api Manager, Api Microgateway | 2024-08-04 | 9.1 Critical |
| The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks. | ||||
| CVE-2020-15303 | 1 Infoblox | 1 Nios | 2024-08-04 | 6.5 Medium |
| Infoblox NIOS before 8.5.2 allows entity expansion during an XML upload operation, a related issue to CVE-2003-1564. | ||||
| CVE-2020-11462 | 1 Openvpn | 1 Openvpn Access Server | 2024-08-04 | 7.5 High |
| An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable. | ||||
| CVE-2020-6856 | 1 Sos-berlin | 1 Jobscheduler | 2024-08-04 | 6.5 Medium |
| An XML External Entity (XEE) vulnerability exists in the JOC Cockpit component of SOS JobScheduler 1.12 and 1.13.2 allows attackers to read files from the server via an entity declaration in any of the XML documents that are used to specify the run-time settings of jobs and orders. | ||||
| CVE-2020-5227 | 1 Feedgen Project | 1 Feedgen | 2024-08-04 | 4.4 Medium |
| Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb). This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only. This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources. | ||||
| CVE-2020-3946 | 1 Vmware | 1 Installbuilder | 2024-08-04 | 7.5 High |
| InstallBuilder AutoUpdate tool and regular installers enabling <checkForUpdates> built with versions earlier than 19.11 are vulnerable to Billion laughs attack (denial-of-service). | ||||
| CVE-2020-2172 | 1 Jenkins | 1 Code Coverage Api | 2024-08-04 | 6.5 Medium |
| Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2021-41559 | 1 Silverstripe | 1 Silverstripe | 2024-08-04 | 6.5 Medium |
| Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document. | ||||
| CVE-2021-40511 | 1 Obdasystems | 1 Mastro | 2024-08-04 | 7.5 High |
| OBDA systems’ Mastro 1.0 is vulnerable to XML Entity Expansion (aka “billion laughs”) attack allowing denial of service. | ||||
| CVE-2021-38490 | 1 Altova | 1 Mobiletogether Server | 2024-08-04 | 7.5 High |
| Altova MobileTogether Server before 7.3 SP1 allows XML exponential entity expansion, a different vulnerability than CVE-2021-37425. | ||||
| CVE-2021-32623 | 1 Apereo | 1 Opencast | 2024-08-03 | 8.1 High |
| Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue. | ||||
| CVE-2021-31842 | 1 Mcafee | 1 Endpoint Security | 2024-08-03 | 5 Medium |
| XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack through carefully editing the EPDeploy.xml file and then executing the setup process. | ||||
| CVE-2021-23926 | 5 Apache, Debian, Netapp and 2 more | 8 Xmlbeans, Debian Linux, Oncommand Unified Manager Core Package and 5 more | 2024-08-03 | 9.1 Critical |
| The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0. | ||||