Total
998 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-28828 | 1 Siemens | 1 Polarion Alm | 2023-05-09 | N/A | 5.9 MEDIUM |
| A vulnerability has been identified in Polarion ALM (All versions < V22R2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. | |||||
| CVE-2023-28008 | 1 Hcltech | 1 Workload Automation | 2023-05-05 | N/A | 8.1 HIGH |
| HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||
| CVE-2023-28009 | 1 Hcltech | 1 Workload Automation | 2023-05-05 | N/A | 8.1 HIGH |
| HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||
| CVE-2022-45876 | 1 Visam | 1 Vbase | 2023-05-05 | N/A | 5.5 MEDIUM |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | |||||
| CVE-2023-26058 | 1 Nokia | 1 Netact | 2023-05-04 | N/A | 6.5 MEDIUM |
| An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | |||||
| CVE-2023-26057 | 1 Nokia | 1 Netact | 2023-05-04 | N/A | 6.5 MEDIUM |
| An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | |||||
| CVE-2022-38840 | 1 Guralp | 1 Man-eam-0003 | 2023-04-25 | N/A | 7.5 HIGH |
| cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure. | |||||
| CVE-2023-26264 | 1 Talend | 1 Data Catalog | 2023-04-21 | N/A | 5.5 MEDIUM |
| All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. | |||||
| CVE-2023-26263 | 1 Talend | 1 Data Catalog | 2023-04-21 | N/A | 5.5 MEDIUM |
| All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server. | |||||
| CVE-2023-25955 | 1 Mlit | 1 National Land Numerical Information Data Conversion Tool | 2023-04-18 | N/A | 5.5 MEDIUM |
| National land numerical information data conversion tool all versions improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker. | |||||
| CVE-2023-28340 | 1 Zohocorp | 1 Manageengine Applications Manager | 2023-04-14 | N/A | 6.5 MEDIUM |
| Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. | |||||
| CVE-2023-23926 | 1 Neo4j | 1 Awesome Procedures On Cyper | 2023-04-14 | N/A | 8.1 HIGH |
| APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 (4.4 branch) in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this. External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML. The minimum version containing a patch for this vulnerability is 5.5.0. Those who cannot upgrade the library can control the allowlist of the procedures that can be used in your system. | |||||
| CVE-2023-26461 | 1 Sap | 1 Netweaver Enterprise Portal | 2023-04-11 | N/A | 4.9 MEDIUM |
| SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges. | |||||
| CVE-2017-9095 | 1 Divinglog | 1 Diving Log | 2023-04-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| XXE in Diving Log 6.0 allows attackers to remotely view local files through a crafted dive.xml file that is mishandled during a Subsurface import. | |||||
| CVE-2023-28681 | 1 Jenkins | 1 Visual Studio Code Metrics | 2023-04-09 | N/A | 8.2 HIGH |
| Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-28682 | 1 Jenkins | 1 Performance Publisher | 2023-04-09 | N/A | 8.2 HIGH |
| Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-28683 | 1 Jenkins | 1 Phabricator Differential | 2023-04-09 | N/A | 8.2 HIGH |
| Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-28684 | 1 Jenkins | 1 Remote-jobs-view | 2023-04-09 | N/A | 6.5 MEDIUM |
| Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-28680 | 1 Jenkins | 1 Crap4j | 2023-04-08 | N/A | 7.5 HIGH |
| Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-36969 | 1 Aveva | 1 Aveva Edge | 2023-04-06 | N/A | 7.1 HIGH |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the LoadImportedLibraries method. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. Was ZDI-CAN-17394. | |||||