Total
998 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-9491 | 1 Zohocorp | 1 Manageengine Applications Manager | 2019-10-09 | 6.8 MEDIUM | 4.9 MEDIUM |
| ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system. | |||||
| CVE-2016-9487 | 1 W3 | 1 Epubcheck | 2019-10-09 | 6.8 MEDIUM | 7.8 HIGH |
| EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities. | |||||
| CVE-2015-2125 | 1 Hp | 1 Webinspect | 2019-10-09 | 4.0 MEDIUM | N/A |
| Unspecified vulnerability in HP WebInspect 7.x through 10.4 before 10.4 update 1 allows remote authenticated users to bypass intended access restrictions via unknown vectors. | |||||
| CVE-2015-9280 | 1 Mailenable | 1 Mailenable | 2019-10-03 | 5.0 MEDIUM | 10.0 CRITICAL |
| MailEnable before 8.60 allows XXE via an XML document in the request.aspx Options parameter. | |||||
| CVE-2017-3548 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2019-10-03 | 6.4 MEDIUM | 6.5 MEDIUM |
| Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L). | |||||
| CVE-2017-8710 | 1 Microsoft | 2 Windows 7, Windows Server 2008 | 2019-10-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input containing a reference to an external entity, aka "Windows Information Disclosure Vulnerability". | |||||
| CVE-2017-3839 | 1 Cisco | 1 Secure Access Control System | 2019-10-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known Affected Releases: 5.8(2.5). | |||||
| CVE-2019-16188 | 1 Hcltech | 1 Appscan Source | 2019-09-26 | 5.8 MEDIUM | 7.1 HIGH |
| HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks. | |||||
| CVE-2018-1000639 | 1 Latexdraw Project | 1 Latexdraw | 2019-09-26 | 6.8 MEDIUM | 9.6 CRITICAL |
| LatexDraw version <=4.0 contains a XML External Entity (XXE) vulnerability in SVG parsing functionality that can result in disclosure of data, server side request forgery, port scanning, possible rce. This attack appear to be exploitable via Specially crafted SVG file. | |||||
| CVE-2018-1000823 | 1 Exist-db | 1 Exist | 2019-09-24 | 7.5 HIGH | 10.0 CRITICAL |
| exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. | |||||
| CVE-2019-9488 | 1 Trendmicro | 2 Deep Security Manager, Vulnerability Protection | 2019-09-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| Trend Micro Deep Security Manager (10.x, 11.x) and Vulnerability Protection (2.0) are vulnerable to a XML External Entity Attack. However, for the attack to be possible, the attacker must have root/admin access to a protected host which is authorized to communicate with the Deep Security Manager (DSM). | |||||
| CVE-2018-1000835 | 1 Keepassdx | 1 Keepass Dx | 2019-09-12 | 7.5 HIGH | 10.0 CRITICAL |
| KeePassDX version <= 2.5.0.0beta17 contains a XML External Entity (XXE) vulnerability in kdbx file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. | |||||
| CVE-2018-1000837 | 1 Obeo | 1 Uml Designer | 2019-09-11 | 7.5 HIGH | 10.0 CRITICAL |
| UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious plugins.xml file. | |||||
| CVE-2019-16174 | 1 Limesurvey | 1 Limesurvey | 2019-09-10 | 6.8 MEDIUM | 8.8 HIGH |
| An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity. | |||||
| CVE-2019-13608 | 1 Citrix | 1 Storefront Server | 2019-09-04 | 5.0 MEDIUM | 7.5 HIGH |
| Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks. | |||||
| CVE-2019-15641 | 1 Webmin | 1 Webmin | 2019-08-30 | 6.8 MEDIUM | 6.5 MEDIUM |
| xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi. | |||||
| CVE-2019-14258 | 1 Zenoss | 1 Zenoss | 2019-08-30 | 5.0 MEDIUM | 7.5 HIGH |
| The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988. | |||||
| CVE-2019-13176 | 1 3cx | 1 3cx | 2019-08-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS). | |||||
| CVE-2019-13031 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2019-08-26 | 6.8 MEDIUM | 8.1 HIGH |
| LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule. | |||||
| CVE-2018-14383 | 1 Ttpsc | 1 The Scheduler | 2019-08-14 | 5.0 MEDIUM | 7.5 HIGH |
| The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. It was fixed in the versions 5.2.1 and 3.3.7 | |||||