Total
998 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-3312 | 1 Alkacon | 1 Opencms | 2021-10-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document. | |||||
| CVE-2021-38298 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE. | |||||
| CVE-2021-41098 | 1 Nokogiri | 1 Nokogiri | 2021-10-06 | 5.0 MEDIUM | 7.5 HIGH |
| Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected. | |||||
| CVE-2021-35201 | 1 Netscout | 1 Ngeniusone | 2021-10-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity (XXE) attacks. | |||||
| CVE-2021-29831 | 1 Ibm | 2 Jazz For Service Management, Tivoli Netcool\/omnibus Gui | 2021-09-29 | 5.5 MEDIUM | 8.1 HIGH |
| IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 204775. | |||||
| CVE-2021-40356 | 1 Siemens | 1 Teamcenter Visualization | 2021-09-28 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. | |||||
| CVE-2021-30137 | 1 Axiossystems | 1 Assyst | 2021-09-28 | 6.4 MEDIUM | 8.2 HIGH |
| Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. The application allows users to send JSON or XML data to the server. It was possible to inject malicious XML data through several access points. | |||||
| CVE-2021-38555 | 1 Apache | 1 Any23 | 2021-09-23 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. | |||||
| CVE-2020-6590 | 1 Forcepoint | 3 Data Loss Prevention, Email Security, Web Security Content Gateway | 2021-09-16 | 5.0 MEDIUM | 7.5 HIGH |
| Forcepoint Web Security Content Gateway versions prior to 8.5.4 improperly process XML input, leading to information disclosure. | |||||
| CVE-2021-3055 | 1 Paloaltonetworks | 1 Pan-os | 2021-09-15 | 7.5 HIGH | 6.5 MEDIUM |
| An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that causes the service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.6. This issue does not affect Prisma Access. | |||||
| CVE-2021-34436 | 1 Eclipse | 1 Theia | 2021-09-14 | 7.5 HIGH | 9.8 CRITICAL |
| In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default. | |||||
| CVE-2021-34823 | 1 On24 | 1 Screenshare | 2021-08-31 | 6.4 MEDIUM | 9.1 CRITICAL |
| The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. This allows unauthenticated remote users to retrieve files accessible to the logged-on macOS user. When a remote user sends a crafted HTTP request to the server, it triggers a code path that will download a configuration file from a specified remote machine over HTTP. There is an XXE flaw in processing of this configuration file that allows reading local (to macOS) files and uploading them to remote machines. | |||||
| CVE-2021-27604 | 1 Sap | 1 Netweaver Process Integration | 2021-08-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note. | |||||
| CVE-2021-27741 | 1 Hcltechsw | 1 Hcl Commerce | 2021-08-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| " Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection" | |||||
| CVE-2020-18705 | 1 Quokka Project | 1 Quokka | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'. | |||||
| CVE-2020-18703 | 1 Quokka Project | 1 Quokka | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'. | |||||
| CVE-2021-38584 | 1 Cpanel | 1 Cpanel | 2021-08-20 | 6.5 MEDIUM | 7.2 HIGH |
| The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585). | |||||
| CVE-2021-37178 | 1 Siemens | 2 Solid Edge Se2021, Solid Edge Se2021 Firmware | 2021-08-20 | 4.3 MEDIUM | 5.5 MEDIUM |
| A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). An XML external entity injection vulnerability in the underlying XML parser could cause the affected application to disclose arbitrary files to remote attackers by loading a specially crafted xml file. | |||||
| CVE-2021-37425 | 1 Altova | 1 Mobiletogether Server | 2021-08-18 | 6.4 MEDIUM | 9.1 CRITICAL |
| Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key. | |||||
| CVE-2017-8040 | 1 Vmware | 1 Single Sign-on For Pivotal Cloud Foundry | 2021-08-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3, an XXE (XML External Entity) attack was discovered in the Single Sign-On service dashboard. Privileged users can in some cases upload malformed XML leading to exposure of data on the Single Sign-On service broker file system. | |||||