Total
1076 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-19998 | 1 Xiuno | 1 Xiunobbs | 2024-08-05 | 7.5 High |
| Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token.php. | ||||
| CVE-2019-19702 | 1 Modoboa | 1 Modoboa-dmarc | 2024-08-05 | 7.5 High |
| The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain. | ||||
| CVE-2019-19031 | 1 Edit-xml | 1 Easy Xml Editor | 2024-08-05 | 8.1 High |
| Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload. | ||||
| CVE-2019-19032 | 1 Xmlblueprint | 1 Xmlblueprint | 2024-08-05 | 8.1 High |
| XMLBlueprint through 16.191112 is affected by XML External Entity Injection. The impact is: Arbitrary File Read when an XML File is validated. The component is: XML Validate function. The attack vector is: Specially crafted XML payload. | ||||
| CVE-2019-18412 | 1 Jetbrains | 1 Idetalk | 2024-08-05 | 7.5 High |
| JetBrains IDETalk plugin before version 193.4099.10 allows XXE | ||||
| CVE-2019-18227 | 1 Advantech | 1 Wise-paas\/rmm | 2024-08-05 | 7.5 High |
| Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data. | ||||
| CVE-2019-18213 | 3 Eclipse, Theia Xml Extension Project, Xml Language Server Project | 3 Wild Web Developer, Theia Xml Extension, Xml Server Project | 2024-08-05 | 8.8 High |
| XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response capture for password cracking). This occurs in extensions/contentmodel/participants/diagnostics/LSPXMLParserConfiguration.java. | ||||
| CVE-2019-17637 | 2 Debian, Eclipse | 2 Debian Linux, Web Tools Platform | 2024-08-05 | 7.1 High |
| In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences. | ||||
| CVE-2019-17554 | 1 Apache | 1 Olingo | 2024-08-05 | 5.5 Medium |
| The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks. | ||||
| CVE-2019-17085 | 1 Microfocus | 1 Operations Agent | 2024-08-05 | 6.5 Medium |
| XXE attack vulnerability on Micro Focus Operations Agent, affected version 12.0, 12.01, 12.02, 12.03, 12.04, 12.05, 12.06, 12.10, 12.11. The vulnerability could be exploited to do an XXE attack on Operations Agent. | ||||
| CVE-2019-17020 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-08-05 | 6.5 Medium |
| If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. This vulnerability affects Firefox < 72. | ||||
| CVE-2019-16549 | 1 Jenkins | 1 Maven | 2024-08-05 | 8.1 High |
| Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents. | ||||
| CVE-2019-16174 | 1 Limesurvey | 1 Limesurvey | 2024-08-05 | 8.8 High |
| An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity. | ||||
| CVE-2019-16188 | 1 Hcltech | 1 Appscan Source | 2024-08-05 | 7.1 High |
| HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks. | ||||
| CVE-2019-15637 | 4 Apple, Linux, Microsoft and 1 more | 7 Macos, Linux Kernel, Windows and 4 more | 2024-08-05 | 8.1 High |
| Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop. | ||||
| CVE-2019-15641 | 1 Webmin | 1 Webmin | 2024-08-05 | N/A |
| xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi. | ||||
| CVE-2019-14693 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2024-08-05 | N/A |
| Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | ||||
| CVE-2019-14678 | 6 Hp, Ibm, Linux and 3 more | 15 Hp-ux, Aix, Z\/os and 12 more | 2024-08-05 | 10.0 Critical |
| SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used. | ||||
| CVE-2019-14258 | 1 Zenoss | 1 Zenoss | 2024-08-05 | N/A |
| The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988. | ||||
| CVE-2019-14276 | 1 Xnat | 1 Xnat | 2024-08-05 | 6.5 Medium |
| WUSTL XNAT 1.7.5.3 allows XXE attacks via a POST request body. | ||||