Total
1073 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-3340 | 1 Trellix | 1 Intrusion Prevention System Manager | 2024-08-03 | 5.9 Medium |
| XML External Entity (XXE) vulnerability in Trellix IPS Manager prior to 10.1 M8 allows a remote authenticated administrator to perform XXE attack in the administrator interface part of the interface, which allows a saved XML configuration file to be imported. | ||||
| CVE-2022-3338 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-08-03 | 5.4 Medium |
| An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the Agent Handler call to ePO and passing the carefully constructed XML file through the API. | ||||
| CVE-2022-2838 | 1 Eclipse | 1 Sphinx | 2024-08-03 | 5.3 Medium |
| In Eclipse Sphinxâ„¢ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests. | ||||
| CVE-2022-2458 | 1 Redhat | 2 Jboss Enterprise Bpms Platform, Process Automation Manager | 2024-08-03 | 8.2 High |
| XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction & Internal file read in Business Central and also Kie-Server APIs. | ||||
| CVE-2022-2414 | 2 Dogtagpki, Redhat | 7 Dogtagpki, Certificate System, Enterprise Linux and 4 more | 2024-08-03 | 7.5 High |
| Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests. | ||||
| CVE-2022-2330 | 2 Mcafee, Microsoft | 2 Data Loss Prevention Endpoint, Windows | 2024-08-03 | 6.5 Medium |
| Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn't usually have access to via a carefully constructed XML file, which the DLP Agent doesn't parse correctly. | ||||
| CVE-2022-1700 | 1 Forcepoint | 5 Cloud Security Gateway, Data Loss Prevention, Email Security and 2 more | 2024-08-03 | 7.5 High |
| Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security with DLP enabled, and Cloud Security Gateway prior to June 20, 2022. The XML parser in the Policy Engine was found to be improperly configured to support external entities and external DTD (Document Type Definitions), which can lead to an XXE attack. This issue affects: Forcepoint Data Loss Prevention (DLP) versions prior to 8.8.2. Forcepoint One Endpoint (F1E) with Policy Engine versions prior to 8.8.2. Forcepoint Web Security Content Gateway versions prior to 8.5.5. Forcepoint Email Security with DLP enabled versions prior to 8.5.5. Forcepoint Cloud Security Gateway prior to June 20, 2022. | ||||
| CVE-2022-0861 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-08-02 | 3.5 Low |
| A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension import functionality. The impact is limited to some access to confidential information and some ability to alter data. | ||||
| CVE-2022-0839 | 3 Liquibase, Oracle, Redhat | 3 Liquibase, Sqlcl, Red Hat Single Sign On | 2024-08-02 | 9.8 Critical |
| Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0. | ||||
| CVE-2022-0272 | 1 Detekt | 1 Detekt | 2024-08-02 | 9.8 Critical |
| Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0. | ||||
| CVE-2022-0265 | 1 Hazelcast | 1 Hazelcast | 2024-08-02 | 9.8 Critical |
| Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1. | ||||
| CVE-2022-0219 | 1 Jadx Project | 1 Jadx | 2024-08-02 | 5.5 Medium |
| Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2. | ||||
| CVE-2022-0221 | 1 Schneider-electric | 1 Scadapack Workbench | 2024-08-02 | 5.5 Medium |
| A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior) | ||||
| CVE-2022-0217 | 1 Prosody | 1 Prosody | 2024-08-02 | 7.5 High |
| It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). | ||||
| CVE-2022-0198 | 1 Stanford | 1 Corenlp | 2024-08-02 | 7.1 High |
| corenlp is vulnerable to Improper Restriction of XML External Entity Reference | ||||
| CVE-2023-52252 | 1 Unifiedremote | 1 Unified Remote | 2024-08-02 | 9.8 Critical |
| Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint. | ||||
| CVE-2023-52239 | 1 Magicsoftware | 1 Magic Xpi Integration Platform | 2024-08-02 | 6.5 Medium |
| The XML parser in Magic xpi Integration Platform 4.13.4 allows XXE attacks, e.g., via onItemImport. | ||||
| CVE-2023-51591 | 2024-08-02 | N/A | ||
| Voltronic Power ViewPower Pro doDocument XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the doDocument method. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of LOCAL SERVICE. Was ZDI-CAN-22081. | ||||
| CVE-2023-50168 | 2024-08-02 | 7.7 High | ||
| Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation. | ||||
| CVE-2023-49656 | 1 Jenkins | 1 Matlab | 2024-08-02 | 9.8 Critical |
| Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||