Total
1076 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-18705 | 1 Quokka Project | 1 Quokka | 2024-08-04 | 9.8 Critical |
| XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'. | ||||
| CVE-2020-17376 | 2 Openstack, Redhat | 2 Nova, Openstack | 2024-08-04 | 8.3 High |
| An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that share the same paths as host devices previously referenced by the virtual machine on the source host. This can include block devices that map to different Cinder volumes at the destination than at the source. Only deployments allowing host-based connections (for instance, root and ephemeral devices) are affected. | ||||
| CVE-2020-17408 | 1 Nec | 1 Expresscluster X | 2024-08-04 | 7.5 High |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 4.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the clpwebmc executable. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-10801. | ||||
| CVE-2020-15772 | 1 Gradle | 1 Enterprise | 2024-08-04 | 4.9 Medium |
| An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities (XXE), allowing a remote attacker with administrative access to perform server side request forgery. | ||||
| CVE-2020-15418 | 1 Veeam | 2 One, One Firmware | 2024-08-04 | 7.5 High |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSRSReport class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10709. | ||||
| CVE-2020-15419 | 1 Veeam | 2 One, One Firmware | 2024-08-04 | 7.5 High |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Reporter_ImportLicense class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10710. | ||||
| CVE-2020-15352 | 2 Ivanti, Pulsesecure | 4 Connect Secure, Policy Secure, Pulse Connect Secure and 1 more | 2024-08-04 | 7.2 High |
| An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. | ||||
| CVE-2020-15232 | 1 Mapfish | 1 Print | 2024-08-04 | 9.3 Critical |
| In mapfish-print before version 3.24, a user can do to an XML External Entity (XXE) attack with the provided SDL style. | ||||
| CVE-2020-14940 | 1 Herac | 1 Tuxguitar | 2024-08-04 | 7.5 High |
| An issue was discovered in io/gpx/GPXDocumentReader.java in TuxGuitar 1.5.4. It uses misconfigured XML parsers, leading to XXE while loading GP6 (.gpx) and GP7 (.gp) tablature files. | ||||
| CVE-2020-14379 | 1 Redhat | 1 Jboss A-mq | 2024-08-04 | 5.6 Medium |
| A flaw was found in Red Hat AMQ Broker in a way that a XEE attack can be done via Broker's configuration files, leading to denial of service and information disclosure. | ||||
| CVE-2020-14204 | 1 Ibi | 1 Webfocus Business Intelligence | 2024-08-04 | 8.2 High |
| In WebFOCUS Business Intelligence 8.0 (SP6), the administration portal allows remote attackers to read arbitrary local files or forge server-side HTTP requests via a crafted HTTP request to /ibi_apps/WFServlet.cfg because XML external entity injection is possible. This is related to making changes to the application repository configuration. | ||||
| CVE-2020-14029 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-08-04 | 7.5 High |
| An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The RSS To SMS module processes XML files in an unsafe manner. This opens the application to an XML External Entity attack that can be used to perform SSRF or read arbitrary local files. | ||||
| CVE-2020-13940 | 1 Apache | 1 Nifi | 2024-08-04 | 5.5 Medium |
| In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE). | ||||
| CVE-2020-13883 | 1 Wso2 | 3 Api Manager, Api Microgateway, Identity Server As Key Manager | 2024-08-04 | 6.7 Medium |
| In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle. | ||||
| CVE-2020-13692 | 6 Debian, Fedoraproject, Netapp and 3 more | 14 Debian Linux, Fedora, Steelstore Cloud Integrated Storage and 11 more | 2024-08-04 | 7.7 High |
| PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. | ||||
| CVE-2020-12719 | 1 Wso2 | 7 Api Manager, Api Manager Analytics, Api Microgateway and 4 more | 2024-08-04 | 7.2 High |
| XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier. | ||||
| CVE-2020-12642 | 1 Reportportal | 1 Service-api | 2024-08-04 | 7.5 High |
| An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import. | ||||
| CVE-2020-12684 | 1 Inetsoftware | 1 I-net Clear Reports | 2024-08-04 | 9.8 Critical |
| XXE injection can occur in i-net Clear Reports 2019 19.0.287 (Designer), as used in i-net HelpDesk and other products, when XML input containing a reference to an external entity is processed by a weakly configured XML parser. | ||||
| CVE-2020-12025 | 1 Rockwellautomation | 1 Studio 5000 Logix Designer | 2024-08-04 | 3.3 Low |
| Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program. | ||||
| CVE-2020-11991 | 1 Apache | 1 Cocoon | 2024-08-04 | 7.5 High |
| When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system. | ||||