Total
1076 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-36640 | 1 Bonitasoft | 1 Webservice Connector | 2024-08-04 | 5.5 Medium |
| A vulnerability, which was classified as problematic, was found in bonitasoft bonita-connector-webservice up to 1.3.0. This affects the function TransformerConfigurationException of the file src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.1 is able to address this issue. The patch is named a12ad691c05af19e9061d7949b6b828ce48815d5. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217443. | ||||
| CVE-2020-36641 | 1 Gturri | 1 Axmlrpc | 2024-08-04 | 5.5 Medium |
| A vulnerability classified as problematic was found in gturri aXMLRPC up to 1.12.0. This vulnerability affects the function ResponseParser of the file src/main/java/de/timroes/axmlrpc/ResponseParser.java. The manipulation leads to xml external entity reference. Upgrading to version 1.14.0 is able to address this issue. The patch is identified as 456752ebc1ef4c0db980cb5b01a0b3cd0a9e0bae. It is recommended to upgrade the affected component. VDB-217450 is the identifier assigned to this vulnerability. | ||||
| CVE-2020-36124 | 1 Paxtechnology | 1 Paxstore | 2024-08-04 | 6.5 Medium |
| Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators). | ||||
| CVE-2020-35604 | 1 Kronos | 1 Web Time And Attendance | 2024-08-04 | 9.8 Critical |
| An XXE attack can occur in Kronos WebTA 5.0.4 when SAML is used. | ||||
| CVE-2020-35123 | 1 Zimbra | 1 Collaboration | 2024-08-04 | 6.5 Medium |
| In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. This has been fixed in Zimbra Collaboration Suite Network edition 9.0.0 Patch 10 and 8.8.15 Patch 17. | ||||
| CVE-2020-29436 | 1 Sonatype | 1 Nexus Repository Manager | 2024-08-04 | 6.5 Medium |
| Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with admin privileges to configure the system to gain access to content outside of NXRM via an XXE vulnerability. Fixed in version 3.29.0. | ||||
| CVE-2020-28736 | 1 Plone | 1 Plone | 2024-08-04 | 8.8 High |
| Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). | ||||
| CVE-2020-28734 | 1 Plone | 1 Plone | 2024-08-04 | 8.8 High |
| Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | ||||
| CVE-2020-28387 | 1 Siemens | 1 Solid Edge | 2024-08-04 | 5.5 Medium |
| A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP13), Solid Edge SE2021 (All Versions < SE2021MP3). When opening a specially crafted SEECTCXML file, the application could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external dtd. (ZDI-CAN-11923) | ||||
| CVE-2020-27858 | 1 Arcserve | 1 D2d | 2024-08-04 | 7.5 High |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of CA Arcserve D2D 16.5. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getNews method. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-11103. | ||||
| CVE-2020-25750 | 1 Dotplant | 1 Dotplant2 | 2024-08-04 | 7.5 High |
| An issue was discovered in DotPlant2 before 2020-09-14. In class Pay2PayPayment in payment/Pay2PayPayment.php, there is an XXE vulnerability in the checkResult function. The user input ($_POST['xml']) is used for simplexml_load_string without sanitization. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | ||||
| CVE-2020-27017 | 2 Microsoft, Trendmicro | 2 Windows, Interscan Messaging Security Virtual Appliance | 2024-08-04 | 4.9 Medium |
| Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability. | ||||
| CVE-2020-26981 | 1 Siemens | 2 Jt2go, Teamcenter Visualization | 2024-08-04 | 6.5 Medium |
| A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0). When opening a specially crafted xml file, the application could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external dtd. (ZDI-CAN-11890) | ||||
| CVE-2020-26709 | 1 Py-xml Project | 1 Py-xml | 2024-08-04 | 7.5 High |
| py-xml v1.0 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | ||||
| CVE-2020-26705 | 1 Easyxml Project | 1 Easyxml | 2024-08-04 | 9.1 Critical |
| The parseXML function in Easy-XML 0.5.0 was discovered to have a XML External Entity (XXE) vulnerability which allows for an attacker to expose sensitive data or perform a denial of service (DOS) via a crafted external entity entered into the XML content as input. | ||||
| CVE-2020-26708 | 1 Requests-xml Project | 1 Requests-xml | 2024-08-04 | 7.5 High |
| requests-xml v0.2.3 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | ||||
| CVE-2020-26564 | 1 Objectplanet | 1 Opinio | 2024-08-04 | 6.5 Medium |
| ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey&surveyId= URI. | ||||
| CVE-2020-26710 | 1 Easy-parse Project | 1 Easy-parse | 2024-08-04 | 7.5 High |
| easy-parse v0.1.1 was discovered to contain a XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | ||||
| CVE-2020-26247 | 3 Debian, Nokogiri, Redhat | 5 Debian Linux, Nokogiri, 3scale Amp and 2 more | 2024-08-04 | 2.6 Low |
| Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4. | ||||
| CVE-2020-26513 | 1 Intland | 1 Codebeamer | 2024-08-04 | 5.5 Medium |
| An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The ReqIF XML data, used by the codebeamer ALM application to import projects, is parsed by insecurely configured software components, which can be abused for XML External Entity Attacks. | ||||