Vulnerabilities (CVE)

Filtered by CWE-611
Total 998 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-1630 1 Salesforce 1 Mule 2021-08-12 5.0 MEDIUM 7.5 HIGH
XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers.
CVE-2020-26564 1 Objectplanet 1 Opinio 2021-08-09 4.0 MEDIUM 6.5 MEDIUM
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey&surveyId= URI.
CVE-2021-23418 1 Glances Project 1 Glances 2021-08-05 7.5 HIGH 9.8 CRITICAL
The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.
CVE-2021-20595 1 Mitsubishi 38 Ae-200a, Ae-200a Firmware, Ae-200e and 35 more 2021-08-04 8.5 HIGH 8.2 HIGH
Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35 and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 and prior, AG-150A-J Ver.3.20 and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J Ver.3.20 and prior, EB-50GU-A Ver 7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-200A Ver 7.93 and prior, AE-200E Ver 7.93 and prior, AE-50A Ver 7.93 and prior, AE-50E Ver 7.93 and prior, EW-50A Ver 7.93 and prior, EW-50E Ver 7.93 and prior, TE-200A Ver 7.93 and prior, TE-50A Ver 7.93 and prior, TW-50A Ver 7.93 and prior, CMS-RMD-J Ver.1.30 and prior), Air Conditioning System/Expansion Controllers (PAC-YG50ECA Ver.2.20 and prior) and Air Conditioning System/BM adapter(BAC-HD150 Ver.2.21 and prior) allows a remote unauthenticated attacker to disclose some of data in the air conditioning system or cause a DoS condition by sending specially crafted packets.
CVE-2021-20399 2 Ibm, Linux 2 Qradar Security Information And Event Manager, Linux Kernel 2021-08-04 6.4 MEDIUM 9.1 CRITICAL
IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196073.
CVE-2019-3752 1 Dell 2 Emc Avamar Server, Emc Integrated Data Protection Appliance 2021-07-28 6.4 MEDIUM 8.2 HIGH
Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3 and 2.4. contain an XML External Entity(XXE) Injection vulnerability. A remote unauthenticated malicious user could potentially exploit this vulnerability to cause Denial of Service or information exposure by supplying specially crafted document type definitions (DTDs) in an XML request.
CVE-2018-8819 1 Carrier 1 Automatedlogic Webctrl 2021-07-27 5.0 MEDIUM 7.5 HIGH
An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.
CVE-2016-5795 2 Automatedlogic, Carrier 3 I-vu, Sitescan Web, Automatedlogic Webctrl 2021-07-27 7.5 HIGH 7.3 HIGH
An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.
CVE-2017-5661 1 Apache 1 Formatting Objects Processor 2021-07-22 7.9 HIGH 7.3 HIGH
In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
CVE-2020-4377 1 Ibm 1 Cognos Analytics 2021-07-21 6.4 MEDIUM 9.1 CRITICAL
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
CVE-2020-25186 1 We-con 1 Levistudiou 2021-07-21 5.0 MEDIUM 7.5 HIGH
An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure.
CVE-2020-11885 1 Wso2 1 Enterprise Integrator 2021-07-21 6.5 MEDIUM 7.2 HIGH
WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file.
CVE-2019-17020 2 Canonical, Mozilla 2 Ubuntu Linux, Firefox 2021-07-21 4.3 MEDIUM 6.5 MEDIUM
If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. This vulnerability affects Firefox < 72.
CVE-2020-4481 1 Ibm 1 Urbancode Deploy 2021-07-21 6.4 MEDIUM 8.2 HIGH
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
CVE-2020-24589 1 Wso2 2 Api Manager, Api Microgateway 2021-07-21 6.4 MEDIUM 9.1 CRITICAL
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.
CVE-2019-19702 1 Modoboa 1 Modoboa-dmarc 2021-07-21 5.0 MEDIUM 7.5 HIGH
The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain.
CVE-2020-27017 2 Microsoft, Trendmicro 2 Windows, Interscan Messaging Security Virtual Appliance 2021-07-21 4.0 MEDIUM 4.9 MEDIUM
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability.
CVE-2019-18213 3 Eclipse, Theia Xml Extension Project, Xml Language Server Project 3 Wild Web Developer, Theia Xml Extension, Xml Server Project 2021-07-21 6.5 MEDIUM 8.8 HIGH
XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response capture for password cracking). This occurs in extensions/contentmodel/participants/diagnostics/LSPXMLParserConfiguration.java.
CVE-2019-8126 1 Magento 1 Magento 2021-07-21 4.0 MEDIUM 4.9 MEDIUM
An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.
CVE-2020-8540 1 Zohocorp 1 Manageengine Desktop Central 2021-07-21 7.5 HIGH 9.8 CRITICAL
An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.