Total
998 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-3836 | 1 Dbeaver | 1 Dbeaver | 2021-12-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| dbeaver is vulnerable to Improper Restriction of XML External Entity Reference | |||||
| CVE-2019-13358 | 1 Opencats | 1 Opencats | 2021-12-14 | 5.0 MEDIUM | 7.5 HIGH |
| lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format. | |||||
| CVE-2021-44557 | 1 Kb | 1 Multiner | 2021-12-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| National Library of the Netherlands multiNER <= c0440948057afc6e3d6b4903a7c05e666b94a3bc is affected by an XML External Entity (XXE) vulnerability in multiNER/ner.py. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS. | |||||
| CVE-2021-44556 | 1 Kb | 1 Digger | 2021-12-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| National Library of the Netherlands digger < 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS. | |||||
| CVE-2021-42776 | 1 Cloverdx | 1 Cloverdx | 2021-12-03 | 6.8 MEDIUM | 7.7 HIGH |
| CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import. | |||||
| CVE-2019-4730 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2021-12-01 | 5.5 MEDIUM | 7.1 HIGH |
| IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 172533. | |||||
| CVE-2020-4300 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2021-12-01 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 176607. | |||||
| CVE-2021-44147 | 1 Claris | 2 Filemaker Pro, Filemaker Server | 2021-11-23 | 4.3 MEDIUM | 5.5 MEDIUM |
| An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forgery attacks. | |||||
| CVE-2021-20839 | 1 Antennahouse | 1 Office Server Document Converter | 2021-11-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition to the other servers by processing a specially crafted XML document. | |||||
| CVE-2021-20838 | 1 Antennahouse | 1 Office Server Document Converter | 2021-11-08 | 5.0 MEDIUM | 7.5 HIGH |
| Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition by processing a specially crafted XML document. | |||||
| CVE-2021-36172 | 1 Fortinet | 1 Fortiportal | 2021-11-04 | 6.4 MEDIUM | 8.1 HIGH |
| An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of service or read arbitrary files from the underlying file system by means of specifically crafted XML documents. | |||||
| CVE-2021-27635 | 1 Sap | 1 Netweaver Application Server For Java | 2021-11-04 | 5.5 MEDIUM | 6.5 MEDIUM |
| SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity. | |||||
| CVE-2020-25912 | 1 Getsymphony | 1 Symphony | 2021-11-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| A XML External Entity (XXE) vulnerability was discovered in symphony\lib\toolkit\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS). | |||||
| CVE-2020-25911 | 1 Modx | 1 Modx Revolution | 2021-11-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS). | |||||
| CVE-2021-3869 | 1 Stanford | 1 Corenlp | 2021-10-21 | 5.0 MEDIUM | 7.5 HIGH |
| corenlp is vulnerable to Improper Restriction of XML External Entity Reference | |||||
| CVE-2021-3878 | 1 Stanford | 1 Corenlp | 2021-10-20 | 7.5 HIGH | 9.8 CRITICAL |
| corenlp is vulnerable to Improper Restriction of XML External Entity Reference | |||||
| CVE-2020-19954 | 1 S-cms | 1 S-cms | 2021-10-20 | 5.0 MEDIUM | 7.5 HIGH |
| An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files. | |||||
| CVE-2014-3004 | 3 Castor Project, Opensuse, Opensuse Project | 3 Castor, Opensuse, Opensuse | 2021-10-20 | 4.3 MEDIUM | N/A |
| The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document. | |||||
| CVE-2021-20801 | 1 Cybozu | 1 Remote Service Manager | 2021-10-19 | 4.0 MEDIUM | 6.5 MEDIUM |
| Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. This issue occurs only when using Mozilla Firefox. | |||||
| CVE-2021-40500 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2021-10-18 | 5.0 MEDIUM | 7.5 HIGH |
| SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can enable the attacker to retrieve arbitrary files from the server. | |||||