Total
1073 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-25955 | 1 Mlit | 1 National Land Numerical Information Data Conversion Tool | 2024-08-02 | 5.5 Medium |
| National land numerical information data conversion tool all versions improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker. | ||||
| CVE-2023-25926 | 2024-08-02 | 5.5 Medium | ||
| IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 247599. | ||||
| CVE-2023-24443 | 1 Jenkins | 1 Testcomplete Support | 2024-08-02 | 9.8 Critical |
| Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-24430 | 1 Jenkins | 1 Semantic Versioning | 2024-08-02 | 9.8 Critical |
| Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-24470 | 1 Microfocus | 1 Arcsight Logger | 2024-08-02 | 9.1 Critical |
| Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0. | ||||
| CVE-2023-24441 | 1 Jenkins | 1 Mstest | 2024-08-02 | 9.8 Critical |
| Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-24429 | 1 Jenkins | 1 Semantic Versioning | 2024-08-02 | 9.8 Critical |
| Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | ||||
| CVE-2023-24323 | 1 Mojoportal | 1 Mojoportal | 2024-08-02 | 8.8 High |
| Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability. | ||||
| CVE-2023-24187 | 1 Ureport Project | 1 Ureport | 2024-08-02 | 7.8 High |
| An XML External Entity (XXE) vulnerability in ureport v2.2.9 allows attackers to execute arbitrary code via uploading a crafted XML file to /ureport/designer/saveReportFile. | ||||
| CVE-2023-24189 | 1 Bstek | 1 Urule | 2024-08-02 | 9.8 Critical |
| An XML External Entity (XXE) vulnerability in urule v2.1.7 allows attackers to execute arbitrary code via uploading a crafted XML file to /urule/common/saveFile. | ||||
| CVE-2023-23926 | 1 Neo4j | 1 Awesome Procedures On Cyper | 2024-08-02 | 5.9 Medium |
| APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 (4.4 branch) in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this. External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML. The minimum version containing a patch for this vulnerability is 5.5.0. Those who cannot upgrade the library can control the allowlist of the procedures that can be used in your system. | ||||
| CVE-2023-23595 | 1 Bluecatnetworks | 1 Device Registration Portal | 2024-08-02 | 7.5 High |
| BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected. | ||||
| CVE-2023-22832 | 1 Apache | 1 Nifi | 2024-08-02 | 7.5 High |
| The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. | ||||
| CVE-2023-22624 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2024-08-02 | 7.5 High |
| Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks. | ||||
| CVE-2023-22377 | 1 Fujitsu | 2 Tsclinical Define.xml Generator, Tsclinical Metadata Desktop Tools | 2024-08-02 | 7.4 High |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in tsClinical Define.xml Generator all versions (v1.0.0 to v1.4.0) and tsClinical Metadata Desktop Tools Version 1.0.3 to Version 1.1.0. If this vulnerability is exploited, an attacker may obtain an arbitrary file which meets a certain condition by reading a specially crafted XML file. | ||||
| CVE-2023-22322 | 1 Omron | 1 Cx-motion Pro | 2024-08-02 | 5.5 Medium |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in OMRON CX-Motion Pro 1.4.6.013 and earlier. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Motion Pro is installed may be disclosed. | ||||
| CVE-2023-6280 | 1 52north | 1 Wps | 2024-08-02 | 7.2 High |
| An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. This vulnerability allows the use of external entities in its WebProcessingService servlet for an attacker to retrieve files by making HTTP requests to the internal network. | ||||
| CVE-2023-20855 | 1 Vmware | 2 Vrealize Automation, Vrealize Orchestrator | 2024-08-02 | 8.8 High |
| VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges. | ||||
| CVE-2023-20052 | 3 Cisco, Clamav, Stormshield | 4 Secure Endpoint, Secure Endpoint Private Cloud, Clamav and 1 more | 2024-08-02 | 5.3 Medium |
| On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process. | ||||
| CVE-2023-6836 | 1 Wso2 | 7 Api Manager, Api Manager Analytics, Api Microgateway and 4 more | 2024-08-02 | 4.6 Medium |
| Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information. | ||||