Total
998 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25312 | 1 Apache | 1 Any23 | 2022-03-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Any23 2.7. | |||||
| CVE-2020-14478 | 1 Rockwellautomation | 1 Factorytalk Services Platform | 2022-03-04 | 5.6 MEDIUM | 7.1 HIGH |
| A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services. | |||||
| CVE-2022-24340 | 1 Jetbrains | 1 Teamcity | 2022-03-04 | 7.5 HIGH | 9.8 CRITICAL |
| In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. | |||||
| CVE-2022-21205 | 1 Intel | 1 Quartus Prime | 2022-02-15 | 5.0 MEDIUM | 7.5 HIGH |
| Improper restriction of XML external entity reference in DSP Builder Pro for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an unauthenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2022-21220 | 1 Intel | 1 Quartus Prime | 2022-02-15 | 4.6 MEDIUM | 7.8 HIGH |
| Improper restriction of XML external entity for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-46660 | 1 Signiant | 1 Manager\+agents | 2022-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks. | |||||
| CVE-2018-7230 | 1 Schneider-electric | 40 Ibp1110-1er, Ibp1110-1er Firmware, Ibp219-1er and 37 more | 2022-02-02 | 6.8 MEDIUM | 8.8 HIGH |
| A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67. | |||||
| CVE-2022-23031 | 1 F5 | 3 Big-ip Advanced Web Application Firewall, Big-ip Application Security Manager, Big-ip Fraud Protection Service | 2022-02-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2020-7572 | 1 Schneider-electric | 1 Webreports | 2022-01-31 | 6.5 MEDIUM | 8.8 HIGH |
| A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary XML code and obtain disclosure of confidential data, denial of service, server side request forgery due to improper configuration of the XML parser. | |||||
| CVE-2018-7783 | 1 Schneider-electric | 1 Somachine Basic | 2022-01-31 | 5.0 MEDIUM | 7.5 HIGH |
| Schneider Electric SoMachine Basic prior to v1.6 SP1 suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project/template file. | |||||
| CVE-2020-4876 | 2 Ibm, Microsoft | 2 Cognos Controller, Windows | 2022-01-27 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190839. | |||||
| CVE-2020-4875 | 2 Ibm, Microsoft | 2 Cognos Controller, Windows | 2022-01-27 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190838. | |||||
| CVE-2022-0219 | 1 Jadx Project | 1 Jadx | 2022-01-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2. | |||||
| CVE-2022-0239 | 1 Stanford | 1 Corenlp | 2022-01-22 | 7.5 HIGH | 9.8 CRITICAL |
| corenlp is vulnerable to Improper Restriction of XML External Entity Reference | |||||
| CVE-2022-0198 | 1 Stanford | 1 Corenlp | 2022-01-19 | 5.8 MEDIUM | 7.1 HIGH |
| corenlp is vulnerable to Improper Restriction of XML External Entity Reference | |||||
| CVE-2021-40722 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2022-01-19 | 7.5 HIGH | 9.8 CRITICAL |
| AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE. | |||||
| CVE-2021-42560 | 1 Mitre | 1 Caldera | 2022-01-15 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.). | |||||
| CVE-2021-44028 | 1 Quest | 1 Kace Desktop Authority | 2022-01-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| XXE can occur in Quest KACE Desktop Authority before 11.2 because the log4net configuration file might be controlled by an attacker, a related issue to CVE-2018-1285. | |||||
| CVE-2019-19032 | 1 Xmlblueprint | 1 Xmlblueprint | 2022-01-01 | 5.5 MEDIUM | 8.1 HIGH |
| XMLBlueprint through 16.191112 is affected by XML External Entity Injection. The impact is: Arbitrary File Read when an XML File is validated. The component is: XML Validate function. The attack vector is: Specially crafted XML payload. | |||||
| CVE-2019-19031 | 1 Edit-xml | 1 Easy Xml Editor | 2022-01-01 | 5.5 MEDIUM | 8.1 HIGH |
| Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload. | |||||