Total
1076 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-40439 | 1 Apache | 1 Openoffice | 2024-08-04 | 6.5 Medium |
| Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a "Billion Laughs" entity expansion denial of service attack and exploit via crafted XML files. ODF files consist of a set of XML files. All versions of Apache OpenOffice up to 4.1.10 are subject to this issue. expat in version 4.1.11 is patched. | ||||
| CVE-2021-40356 | 1 Siemens | 1 Teamcenter Visualization | 2024-08-04 | 7.5 High |
| A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. | ||||
| CVE-2021-39371 | 2 Debian, Osgeo | 3 Debian Linux, Owslib, Pywps | 2024-08-04 | 7.5 High |
| An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected. | ||||
| CVE-2021-39239 | 1 Apache | 1 Jena | 2024-08-04 | 7.5 High |
| A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server. | ||||
| CVE-2021-38584 | 1 Cpanel | 1 Cpanel | 2024-08-04 | 7.2 High |
| The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585). | ||||
| CVE-2021-38555 | 1 Apache | 1 Any23 | 2024-08-04 | 9.1 Critical |
| An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. | ||||
| CVE-2021-38298 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-08-04 | 9.8 Critical |
| Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE. | ||||
| CVE-2021-37425 | 1 Altova | 1 Mobiletogether Server | 2024-08-04 | 9.1 Critical |
| Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key. | ||||
| CVE-2021-37178 | 1 Siemens | 2 Solid Edge Se2021, Solid Edge Se2021 Firmware | 2024-08-04 | 5.5 Medium |
| A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). An XML external entity injection vulnerability in the underlying XML parser could cause the affected application to disclose arbitrary files to remote attackers by loading a specially crafted xml file. | ||||
| CVE-2021-35201 | 1 Netscout | 1 Ngeniusone | 2024-08-04 | 6.5 Medium |
| NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity (XXE) attacks. | ||||
| CVE-2021-35066 | 1 Connectwise | 1 Automate | 2024-08-04 | 9.8 Critical |
| An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132. | ||||
| CVE-2021-34823 | 1 On24 | 1 Screenshare | 2024-08-04 | 9.1 Critical |
| The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. This allows unauthenticated remote users to retrieve files accessible to the logged-on macOS user. When a remote user sends a crafted HTTP request to the server, it triggers a code path that will download a configuration file from a specified remote machine over HTTP. There is an XXE flaw in processing of this configuration file that allows reading local (to macOS) files and uploading them to remote machines. | ||||
| CVE-2021-34436 | 1 Eclipse | 1 Theia | 2024-08-04 | 9.8 Critical |
| In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default. | ||||
| CVE-2021-33950 | 1 Openkm | 1 Openkm | 2024-08-04 | 7.5 High |
| An issue discovered in OpenKM v6.3.10 allows attackers to obtain sensitive information via the XMLTextExtractor function. | ||||
| CVE-2021-33813 | 6 Apache, Debian, Fedoraproject and 3 more | 10 Solr, Tika, Debian Linux and 7 more | 2024-08-03 | 7.5 High |
| An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | ||||
| CVE-2021-33208 | 1 Softwareag | 1 Mashzone Nextgen | 2024-08-03 | 7.2 High |
| The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file. | ||||
| CVE-2021-32972 | 1 Panasonic | 1 Fpwin Pro | 2024-08-03 | 5.5 Medium |
| Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow the attacker to disclose information that is accessible in the context of the user executing software. | ||||
| CVE-2021-32925 | 1 Chamilo | 1 Chamilo | 2024-08-03 | 6.5 Medium |
| admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. | ||||
| CVE-2021-32754 | 1 Flowdroid Project | 1 Flowdroid | 2024-08-03 | 5.3 Medium |
| FlowDroid is a data flow analysis tool. FlowDroid versions prior to 2.9.0 contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition file in XML format to read files from external locations. In order for this to occur, the XML-based format for sources and sinks had to be used and the attacker had to able control the source/sink definition file. The vulnerability was patched in version 2.9.0. As a workaround, do not allow untrusted entities to control the source/sink definition file. | ||||
| CVE-2021-30006 | 1 Jetbrains | 1 Intellij Idea | 2024-08-03 | 7.5 High |
| In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure. | ||||