Total
1073 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-28681 | 1 Jenkins | 1 Visual Studio Code Metrics | 2024-08-02 | 8.2 High |
| Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-28340 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-02 | 6.5 Medium |
| Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. | ||||
| CVE-2023-28151 | 1 Independentsoft | 1 Jspreadsheet | 2024-08-02 | 5.3 Medium |
| An issue was discovered in Independentsoft JSpreadsheet before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | ||||
| CVE-2023-28152 | 1 Independentsoft | 1 Jword | 2024-08-02 | 5.3 Medium |
| An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | ||||
| CVE-2023-28150 | 1 Independentsoft | 1 Jodf | 2024-08-02 | 5.3 Medium |
| An issue was discovered in Independentsoft JODF before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | ||||
| CVE-2023-28008 | 1 Hcltech | 1 Workload Automation | 2024-08-02 | 7.1 High |
| HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | ||||
| CVE-2023-28009 | 1 Hcltech | 1 Workload Automation | 2024-08-02 | 6.5 Medium |
| HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | ||||
| CVE-2023-27874 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2024-08-02 | 9.9 Critical |
| IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845. | ||||
| CVE-2023-27876 | 1 Ibm | 1 Tririga Application Platform | 2024-08-02 | 7.1 High |
| IBM TRIRIGA 4.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249975. | ||||
| CVE-2023-27527 | 1 Touki-kyoutaku-online | 1 Shinseiyo Sogo Soft | 2024-08-02 | 7.5 High |
| Shinseiyo Sogo Soft (7.9A) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker. | ||||
| CVE-2023-27554 | 1 Ibm | 1 Websphere Application Server | 2024-08-02 | 6.3 Medium |
| IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249185. | ||||
| CVE-2023-27480 | 1 Xwiki | 1 Xwiki | 2024-08-02 | 7.7 High |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch `e3527b98fd` manually. | ||||
| CVE-2023-27476 | 1 Osgeo | 1 Owslib | 2024-08-02 | 8.2 High |
| OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details. | ||||
| CVE-2023-26461 | 1 Sap | 1 Netweaver Enterprise Portal | 2024-08-02 | 6.8 Medium |
| SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges. | ||||
| CVE-2023-26267 | 1 Php-saml-sp Project | 1 Php-saml-sp | 2024-08-02 | 6.5 Medium |
| php-saml-sp before 1.1.1 and 2.x before 2.1.1 allows reading arbitrary files as the webserver user because resolving XML external entities was silently enabled via \LIBXML_DTDLOAD | \LIBXML_DTDATTR. | ||||
| CVE-2023-26264 | 1 Talend | 1 Data Catalog | 2024-08-02 | 5.5 Medium |
| All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. | ||||
| CVE-2023-26263 | 1 Talend | 1 Data Catalog | 2024-08-02 | 5.5 Medium |
| All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server. | ||||
| CVE-2023-26058 | 1 Nokia | 1 Netact | 2024-08-02 | 6.5 Medium |
| An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | ||||
| CVE-2023-26057 | 1 Nokia | 1 Netact | 2024-08-02 | 6.5 Medium |
| An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | ||||
| CVE-2023-26043 | 1 Geosolutionsgroup | 1 Geonode | 2024-08-02 | 6.5 Medium |
| GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been patched in version 4.0.3. | ||||