Total
1072 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-10839 | 1 Zohocorp | 1 Manageengine Sharepoint Manager Plus | 2024-11-13 | 8.5 High |
| Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option. | ||||
| CVE-2020-3405 | 1 Cisco | 1 Sd-wan Firmware | 2024-11-13 | 7.3 High |
| A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application. | ||||
| CVE-2024-52007 | 1 Hapifhir | 1 Hl7 Fhir Core | 2024-11-12 | 8.6 High |
| HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2021-1369 | 1 Cisco | 1 Firepower Device Manager | 2024-11-08 | 5.4 Medium |
| A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected device. This vulnerability is due to the improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by sending malicious requests that contain references in XML entities to an affected system. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information or causing a partial denial of service (DoS) condition on the affected device. | ||||
| CVE-2021-1530 | 1 Cisco | 1 Broadworks Messaging Server | 2024-11-08 | 5.4 Medium |
| A vulnerability in the web-based management interface of Cisco BroadWorks Messaging Server Software could allow an authenticated, remote attacker to access sensitive information or cause a partial denial of service (DoS) condition on an affected system. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a partial DoS condition on an affected system. There are workarounds that address this vulnerability. | ||||
| CVE-2021-34706 | 1 Cisco | 1 Identity Services Engine | 2024-11-07 | 6.4 Medium |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the web application to perform arbitrary HTTP requests on behalf of the attacker. | ||||
| CVE-2024-24743 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-07 | 8.6 High |
| SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected. | ||||
| CVE-2023-37942 | 1 Jenkins | 1 External Monitor Job Type | 2024-11-07 | 6.5 Medium |
| Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-37200 | 1 Se | 1 Ecostruxure Opc Ua Server Expert | 2024-11-07 | 5.5 Medium |
| A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server. | ||||
| CVE-2024-45086 | 1 Ibm | 1 Websphere Application Server | 2024-11-06 | 5.5 Medium |
| IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources. | ||||
| CVE-2024-51132 | 1 Fhir | 1 Hapi Fhir | 2024-11-06 | 9.8 Critical |
| An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities. | ||||
| CVE-2024-51136 | 1 Openimaj | 1 Openimaj | 2024-11-06 | 9.8 Critical |
| An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file. | ||||
| CVE-2024-20531 | 2024-11-06 | 5.5 Medium | ||
| A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device and conduct a server-side request forgery (SSRF) attack through an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing XML input. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system or conduct an SSRF attack through the affected device. | ||||
| CVE-2023-20918 | 1 Google | 1 Android | 2024-11-06 | 9.8 Critical |
| In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2022-20780 | 1 Cisco | 1 Enterprise Nfv Infrastructure Software | 2024-11-06 | 9.9 Critical |
| Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2024-37388 | 2 Dnkorpushov, Lxml | 2 Ebookmeta, Lxml | 2024-10-30 | 9.1 Critical |
| An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input. | ||||
| CVE-2023-32706 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-10-30 | 7.7 High |
| On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. | ||||
| CVE-2023-46802 | 1 Nta | 1 E-tax | 2024-10-29 | 5.5 Medium |
| e-Tax software Version3.0.10 and earlier improperly restricts XML external entity references (XXE) due to the configuration of the embedded XML parser. By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | ||||
| CVE-2024-50442 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2024-10-29 | 6.5 Medium |
| Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons allows XML Injection.This issue affects Royal Elementor Addons: from n/a through 1.3.980. | ||||
| CVE-2023-32635 | 1 Edinet-fsa | 1 Xbrl Data Create | 2024-10-28 | 5.5 Medium |
| XBRL data create application version 7.0 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XBRL file, arbitrary files on the system may be read by an attacker. | ||||