Total
998 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000652 | 1 Jabref | 1 Jabref | 2018-10-23 | 7.5 HIGH | 10.0 CRITICAL |
| JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnerability in MsBibImporter XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted MsBib file. This vulnerability appears to have been fixed in after commit 89f855d. | |||||
| CVE-2018-11719 | 1 Xovis | 6 Pc2, Pc2 Firmware, Pc2r and 3 more | 2018-10-22 | 4.0 MEDIUM | 4.9 MEDIUM |
| Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow XXE. | |||||
| CVE-2016-4047 | 1 Open-xchange | 1 Open-xchange Appsuite | 2018-10-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result an attacker can track access to a manipulated document. Usage of a document may get tracked and information about internal infrastructure may get exposed. | |||||
| CVE-2018-13417 | 1 Vuze | 1 Bittorrent Client | 2018-10-18 | 7.5 HIGH | 9.8 CRITICAL |
| In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Vuze, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2018-13415 | 1 Plex | 1 Media Server | 2018-10-18 | 7.5 HIGH | 9.8 CRITICAL |
| In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Plex, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2018-13416 | 1 Spirton | 1 Universal Media Server | 2018-10-17 | 7.5 HIGH | 9.8 CRITICAL |
| In Universal Media Server (UMS) 7.1.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running UMS, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2016-8526 | 1 Hp | 1 Airwave | 2018-10-16 | 4.0 MEDIUM | 8.8 HIGH |
| Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation. | |||||
| CVE-2016-4312 | 1 Wso2 | 1 Identity Server | 2018-10-09 | 6.0 MEDIUM | 7.5 HIGH |
| XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials. | |||||
| CVE-2015-7326 | 1 Milton | 1 Webdav | 2018-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3. | |||||
| CVE-2015-7241 | 1 Sap | 1 Netweaver | 2018-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. | |||||
| CVE-2018-14473 | 1 Ocsinventory-ng | 1 Ocsinventory Ng | 2018-10-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service. | |||||
| CVE-2014-2296 | 1 Apereo | 1 Cas Server | 2018-09-19 | 6.8 MEDIUM | 8.8 HIGH |
| XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data. | |||||
| CVE-2018-14065 | 1 Phpoffice Project | 1 Common | 2018-09-12 | 7.5 HIGH | 9.8 CRITICAL |
| XMLReader.php in PHPOffice Common before 0.2.9 allows XXE. | |||||
| CVE-2018-13439 | 1 Tencent | 1 Wechat Pay | 2018-09-10 | 5.0 MEDIUM | 7.5 HIGH |
| WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL. | |||||
| CVE-2018-11640 | 1 Dialogic | 1 Powermedia Xms | 2018-09-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| XML External Entity (XXE) vulnerability in the web service in Dialogic PowerMedia XMS before 3.5 SU2 allows remote attackers to read arbitrary files or cause a denial of service (resource consumption). | |||||
| CVE-2018-1000614 | 1 Onosproject | 1 Onos | 2018-09-04 | 7.5 HIGH | 9.8 CRITICAL |
| ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message. | |||||
| CVE-2018-1000616 | 1 Onosproject | 1 Onos | 2018-09-04 | 7.5 HIGH | 9.8 CRITICAL |
| ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity. | |||||
| CVE-2018-1000540 | 1 Loboevolution Project | 1 Loboevolution | 2018-08-20 | 6.8 MEDIUM | 7.8 HIGH |
| LoboEvolution version < 9b75694cedfa4825d4a2330abf2719d470c654cd contains a XML External Entity (XXE) vulnerability in XML Parsing when viewing the XML file in the browser that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted XML file. | |||||
| CVE-2018-1000515 | 1 News-articles Project | 1 News-articles | 2018-08-20 | 5.0 MEDIUM | 7.5 HIGH |
| ventrian News-Articles version NewsArticles.00.09.11 contains a XML External Entity (XXE) vulnerability in News-Articles/API/MetaWebLog/Handler.ashx.vb that can result in Attacker can read any file in the server or use smbrelay attack to access to server.. | |||||
| CVE-2018-1000548 | 1 Umlet | 1 Umlet | 2018-08-20 | 6.8 MEDIUM | 7.8 HIGH |
| Umlet version < 14.3 contains a XML External Entity (XXE) vulnerability in File parsing that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted UXF file. This vulnerability appears to have been fixed in 14.3. | |||||