Total
1076 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-11885 | 1 Wso2 | 1 Enterprise Integrator | 2024-08-04 | 7.2 High |
| WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file. | ||||
| CVE-2020-11541 | 1 Techsmith | 1 Snagit | 2024-08-04 | 5.5 Medium |
| In TechSmith SnagIt 11.2.1 through 20.0.3, an XML External Entity (XXE) injection issue exists that would allow a local attacker to exfiltrate data under the local Administrator account. | ||||
| CVE-2020-11586 | 1 Cipplanner | 1 Cipace | 2024-08-04 | 9.8 Critical |
| An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that contains malicious XML DTD data. | ||||
| CVE-2020-10991 | 1 Mulesoft | 1 Aplkit | 2024-08-04 | 9.8 Critical |
| Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java | ||||
| CVE-2020-10992 | 1 Azkaban Project | 1 Azkaban | 2024-08-04 | 9.8 Critical |
| Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java. | ||||
| CVE-2020-10993 | 1 Osmand | 1 Osmand | 2024-08-04 | 9.1 Critical |
| Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java. | ||||
| CVE-2020-10990 | 1 Accenture | 1 Mercury | 2024-08-04 | 9.8 Critical |
| An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component. | ||||
| CVE-2020-9352 | 1 Smartclient | 1 Smartclient | 2024-08-04 | 9.8 Critical |
| An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter. NOTE: the documentation states "These tools are, by default, available to anyone ... so they should only be deployed into a trusted environment. Alternately, the tools can easily be restricted to administrators or end users by protecting the tools path with normal authentication and authorization mechanisms on the web server." | ||||
| CVE-2020-10799 | 1 Svglib Project | 1 Svglib | 2024-08-04 | 9.8 Critical |
| The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call. | ||||
| CVE-2020-10683 | 6 Canonical, Dom4j Project, Netapp and 3 more | 44 Ubuntu Linux, Dom4j, Oncommand Api Services and 41 more | 2024-08-04 | 9.8 Critical |
| dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. | ||||
| CVE-2020-10629 | 1 Advantech | 1 Webaccess\/nms | 2024-08-04 | 7.5 High |
| WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. Specially crafted XML input could allow an attacker to read sensitive files. | ||||
| CVE-2020-9044 | 1 Johnsoncontrols | 20 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Lonworks Control Server and 17 more | 2024-08-04 | 7.5 High |
| XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1. | ||||
| CVE-2020-8541 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-08-04 | 6.5 Medium |
| OX App Suite through 7.10.3 allows XXE attacks. | ||||
| CVE-2020-8540 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-08-04 | 9.8 Critical |
| An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. | ||||
| CVE-2020-8256 | 2 Ivanti, Pulsesecure | 2 Connect Secure, Pulse Connect Secure | 2024-08-04 | 4.9 Medium |
| A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability. | ||||
| CVE-2020-7572 | 1 Schneider-electric | 1 Webreports | 2024-08-04 | 8.8 High |
| A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary XML code and obtain disclosure of confidential data, denial of service, server side request forgery due to improper configuration of the XML parser. | ||||
| CVE-2020-6958 | 1 Yet Another Java Service Wrapper Project | 1 Yet Another Java Service Wrapper | 2024-08-04 | 9.1 Critical |
| An XXE vulnerability in JnlpSupport in Yet Another Java Service Wrapper (YAJSW) 12.14, as used in NSA Ghidra and other products, allows attackers to exfiltrate data from remote hosts and potentially cause denial-of-service. | ||||
| CVE-2020-6590 | 1 Forcepoint | 3 Data Loss Prevention, Email Security, Web Security Content Gateway | 2024-08-04 | 7.5 High |
| Forcepoint Web Security Content Gateway versions prior to 8.5.4 improperly process XML input, leading to information disclosure. | ||||
| CVE-2020-6238 | 1 Sap | 1 Commerce Cloud | 2024-08-04 | 9.3 Critical |
| SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce. | ||||
| CVE-2020-6187 | 1 Sap | 1 Netweaver Guided Procedures | 2024-08-04 | 4.9 Medium |
| SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service. | ||||