Total
74 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-3541 | 4 Netapp, Oracle, Redhat and 1 more | 29 Active Iq Unified Manager, Cloud Backup, Clustered Data Ontap and 26 more | 2024-08-03 | 6.5 Medium |
| A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. | ||||
| CVE-2022-44641 | 2 Debian, Linaro | 2 Debian Linux, Lava | 2024-08-03 | 6.5 Medium |
| In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service. | ||||
| CVE-2022-34467 | 1 Mendix | 1 Excel Importer | 2024-08-03 | 6.5 Medium |
| A vulnerability has been identified in Mendix Excel Importer Module (Mendix 8 compatible) (All versions < V9.2.2), Mendix Excel Importer Module (Mendix 9 compatible) (All versions < V10.1.2). The affected component is vulnerable to XML Entity Expansion Injection. An attacker may use this to compromise the availability of the affected component. | ||||
| CVE-2022-33977 | 1 Untangle Project | 1 Untangle | 2024-08-03 | 7.5 High |
| untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts recursive entity references in DTDs. By exploiting this vulnerability, a remote unauthenticated attacker may cause a denial-of-service (DoS) condition on the server where the product is running. | ||||
| CVE-2022-26662 | 2 Debian, Tryton | 3 Debian Linux, Proteus, Trytond | 2024-08-03 | 7.5 High |
| An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server. | ||||
| CVE-2022-23640 | 1 Excel Streaming Reader Project | 1 Excel Streaming Reader | 2024-08-03 | 9.8 Critical |
| Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround. | ||||
| CVE-2022-0217 | 1 Prosody | 1 Prosody | 2024-08-02 | 7.5 High |
| It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). | ||||
| CVE-2023-52426 | 1 Libexpat Project | 1 Libexpat | 2024-08-02 | 5.5 Medium |
| libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time. | ||||
| CVE-2023-28118 | 1 Kaml Project | 1 Kaml | 2024-08-02 | 7.5 High |
| kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds. | ||||
| CVE-2023-20052 | 3 Cisco, Clamav, Stormshield | 4 Secure Endpoint, Secure Endpoint Private Cloud, Clamav and 1 more | 2024-08-02 | 5.3 Medium |
| On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process. | ||||
| CVE-2023-3569 | 1 Phoenixcontact | 14 Cloud Client 1101t-tx, Cloud Client 1101t-tx Firmware, Tc Cloud Client 1002-4g and 11 more | 2024-08-02 | 4.9 Medium |
| In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 an authenticated remote attacker with admin privileges could upload a crafted XML file which causes a denial-of-service. | ||||
| CVE-2024-28757 | 1 Redhat | 2 Enterprise Linux, Rhel Eus | 2024-08-02 | 7.5 High |
| libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). | ||||
| CVE-2024-27141 | 2024-08-02 | 5.9 Medium | ||
| Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a time-based blind XML External Entity (XXE) vulnerability. An attacker can DoS the printers by sending a HTTP request without authentication. An attacker can exploit the XXE to retrieve information. As for the affected products/models/versions, see the reference URL. | ||||
| CVE-2024-27142 | 2024-08-02 | 5.9 Medium | ||
| Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a time-based blind XML External Entity (XXE) vulnerability. An attacker can DoS the printers. An attacker can exploit the XXE to retrieve information. As for the affected products/models/versions, see the reference URL. | ||||