Total
97 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-46214 | 1 Splunk | 3 Cloud, Splunk, Splunk Enterprise | 2025-01-15 | 8 High |
| In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance. | ||||
| CVE-2024-25413 | 1 Firebearstudio | 1 Improved Import \& Export | 2025-01-13 | 7.2 High |
| A XSLT Server Side injection vulnerability in the Import Jobs function of FireBear Improved Import And Export v3.8.6 allows attackers to execute arbitrary commands via a crafted XSLT file. | ||||
| CVE-2024-13190 | 2025-01-08 | 6.3 Medium | ||
| A vulnerability classified as critical was found in ZeroWdd myblog 1.0. This vulnerability affects unknown code of the file src/main/resources/mapper/BlogMapper.xml. The manipulation of the argument findBlogList/getTotalBlogs leads to xml injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-34740 | 1 Google | 1 Android | 2024-12-17 | 7.7 High |
| In attributeBytesBase64 and attributeBytesHex of BinaryXmlSerializer.java, there is a possible arbitrary XML injection due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-11622 | 1 Hpe | 1 Insight Remote Support | 2024-12-12 | 7.3 High |
| An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. | ||||
| CVE-2024-53674 | 1 Hpe | 1 Insight Remote Support | 2024-12-12 | 7.3 High |
| An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. | ||||
| CVE-2024-53675 | 1 Hpe | 1 Insight Remote Support | 2024-12-12 | 7.3 High |
| An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. | ||||
| CVE-2024-33858 | 2024-11-21 | 5.3 Medium | ||
| An issue was discovered in Logpoint before 7.4.0. A path injection vulnerability is seen while adding a CSV enrichment source. The source_name parameter could be changed to an absolute path; this will write the CSV file to that path inside the /tmp directory. | ||||
| CVE-2024-28109 | 2024-11-21 | 8.1 High | ||
| veraPDF-library is a PDF/A validation library. Executing policy checks using custom schematron files invokes an XSL transformation that could lead to a remote code execution (RCE) vulnerability. This vulnerability is fixed in 1.24.2. | ||||
| CVE-2023-43187 | 1 Nodebb | 1 Nodebb | 2024-11-21 | 9.8 Critical |
| A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests. | ||||
| CVE-2023-40612 | 1 Opennms | 2 Horizon, Meridian | 2024-11-21 | 5.3 Medium |
| In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2, the file editor which is accessible to any user with ROLE_FILESYSTEM_EDITOR privileges is vulnerable to XXE injection attacks. The solution is to upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue. | ||||
| CVE-2023-38207 | 1 Adobe | 1 Commerce | 2024-11-21 | 7.5 High |
| Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user interaction. | ||||
| CVE-2023-35858 | 2024-11-21 | 5.3 Medium | ||
| XPath Injection vulnerabilities in the blog and RSS functions of Modern Campus - Omni CMS 2023.1 allow a remote, unauthenticated attacker to obtain application information. | ||||
| CVE-2023-32173 | 2024-11-21 | N/A | ||
| Unified Automation UaGateway AddServer XML Injection Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. Authentication is required to exploit this vulnerability when the product is in its default configuration. The specific flaw exists within the implementation of the AddServer method. By specifying crafted arguments, an attacker can cause invalid characters to be inserted into an XML configuration file. An attacker can leverage this vulnerability to create a persistent denial-of-service condition on the system. . Was ZDI-CAN-20576. | ||||
| CVE-2023-29289 | 1 Adobe | 2 Commerce, Magento | 2024-11-21 | 6.5 Medium |
| Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an XML Injection vulnerability. An attacker with low privileges can trigger a specially crafted script to a security feature bypass. Exploitation of this issue does not require user interaction. | ||||
| CVE-2023-27328 | 2024-11-21 | N/A | ||
| Parallels Desktop Toolgate XML Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of a user-supplied string before using it to construct an XML document. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-19187. | ||||
| CVE-2023-27253 | 1 Netgate | 1 Pfsense | 2024-11-21 | 8.8 High |
| A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml. | ||||
| CVE-2023-22485 | 1 Github | 1 Cmark-gfm | 2024-11-21 | 5.3 Medium |
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7. | ||||
| CVE-2023-22247 | 1 Adobe | 2 Commerce, Magento Open Source | 2024-11-21 | 7.5 High |
| Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction. | ||||
| CVE-2022-4245 | 2 Codehaus-plexus, Redhat | 23 Plexus-utils, A Mq Clients, Amq Broker and 20 more | 2024-11-21 | 4.3 Medium |
| A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. | ||||