Total
1076 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-13625 | 1 Nsa | 1 Ghidra | 2024-08-04 | N/A |
| NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file. | ||||
| CVE-2019-13608 | 1 Citrix | 1 Storefront Server | 2024-08-04 | N/A |
| Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks. | ||||
| CVE-2019-13358 | 1 Opencats | 1 Opencats | 2024-08-04 | 7.5 High |
| lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format. | ||||
| CVE-2019-13176 | 1 3cx | 1 3cx | 2024-08-04 | N/A |
| An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS). | ||||
| CVE-2019-13031 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2024-08-04 | N/A |
| LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule. | ||||
| CVE-2019-12924 | 1 Mailenable | 1 Mailenable | 2024-08-04 | N/A |
| MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users). | ||||
| CVE-2019-12415 | 3 Apache, Oracle, Redhat | 28 Poi, Application Testing Suite, Banking Enterprise Originations and 25 more | 2024-08-04 | 5.5 Medium |
| In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing. | ||||
| CVE-2019-12154 | 1 Realobjects | 1 Pdfreactor | 2024-08-04 | N/A |
| XXE in the XML parser library in RealObjects PDFreactor before 10.1.10722 allows attackers to supply malicious XML content in externally referenced resources, leading to disclosure of local file contents and/or denial of service conditions. | ||||
| CVE-2019-11677 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2024-08-04 | N/A |
| The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection. | ||||
| CVE-2019-11519 | 1 Nopcommerce | 1 Nopcommerce | 2024-08-04 | N/A |
| Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen. | ||||
| CVE-2019-11392 | 1 Dotnetblogengine | 1 Blogengine.net | 2024-08-04 | N/A |
| BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd. | ||||
| CVE-2019-11216 | 1 Bmc | 1 Remedy Smart Reporting | 2024-08-04 | 6.5 Medium |
| BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed. | ||||
| CVE-2019-10976 | 1 Mitsubishielectric | 2 Electric Fr Configurator2, Electric Fr Configurator2 Firmware | 2024-08-04 | N/A |
| Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files. | ||||
| CVE-2019-10782 | 1 Checkstyle | 1 Checkstyle | 2024-08-04 | 5.3 Medium |
| All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658. | ||||
| CVE-2019-10718 | 1 Dotnetblogengine | 1 Blogengine.net | 2024-08-04 | N/A |
| BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs. | ||||
| CVE-2019-10466 | 1 Jenkins | 1 360 Fireline | 2024-08-04 | 8.1 High |
| An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. | ||||
| CVE-2019-10337 | 2 Jenkins, Redhat | 2 Token Macro, Openshift | 2024-08-04 | N/A |
| An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. | ||||
| CVE-2019-10327 | 1 Jenkins | 1 Pipeline Maven Integration | 2024-08-04 | N/A |
| An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks. | ||||
| CVE-2019-10309 | 1 Jenkins | 1 Self-organizing Swarm Modules | 2024-08-04 | N/A |
| Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients. | ||||
| CVE-2019-10244 | 1 Eclipse | 1 Kura | 2024-08-04 | N/A |
| In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation. | ||||