Total
998 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-0250 | 1 Ibm | 1 Infosphere Information Server | 2018-04-09 | 5.5 MEDIUM | 5.4 MEDIUM |
| XML external entity (XXE) vulnerability in IBM InfoSphere Information Governance Catalog 11.3 before 11.3.1.2 and 11.5 before 11.5.0.1 allows remote authenticated users to read arbitrary files or cause a denial of service via crafted XML data. IBM X-Force ID: 110510. | |||||
| CVE-2018-6225 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-04-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| An XML external entity injection (XXE) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an authenticated user to expose a normally protected configuration script. | |||||
| CVE-2016-0268 | 1 Ibm | 1 Financial Transaction Manager | 2018-03-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| XML external entity (XXE) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, and Financial Transaction Manager (FTM) for Corporate Payment Services (CPS) for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013 allows remote authenticated users to obtain sensitive information via crafted XML data. IBM X-Force ID: 110915. | |||||
| CVE-2017-7375 | 3 Debian, Google, Xmlsoft | 3 Debian Linux, Android, Libxml2 | 2018-03-18 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable). | |||||
| CVE-2016-0369 | 1 Ibm | 1 Forms Experience Builder | 2018-03-17 | 4.0 MEDIUM | 2.7 LOW |
| XML external entity (XXE) vulnerability in IBM Forms Experience Builder 8.5, 8.5.1, and 8.6 allows remote authenticated users to obtain sensitive information via crafted XML data. IBM X-Force ID: 112088. | |||||
| CVE-2018-1000054 | 1 Jenkins | 1 Ccm | 2018-03-13 | 6.5 MEDIUM | 8.3 HIGH |
| Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2017-18197 | 1 Jgraph | 1 Mxgraph | 2018-03-12 | 7.5 HIGH | 9.8 CRITICAL |
| In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserFactory instance in convert() is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by /ServerView. | |||||
| CVE-2017-1758 | 1 Ibm | 3 Control Center, Financial Transaction Manager, Transformation Extender Advanced | 2018-03-12 | 5.5 MEDIUM | 7.1 HIGH |
| IBM Financial Transaction Manager for ACH Services for Multi-Platform (IBM Control Center 6.0 and 6.1, IBM Financial Transaction Manager 3.0.2, 3.0.3, 3.0.4, and 3.1.0, IBM Transformation Extender Advanced 9.0) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 135859. | |||||
| CVE-2018-1307 | 1 Apache | 1 Juddi | 2018-03-08 | 6.8 MEDIUM | 8.1 HIGH |
| In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5. | |||||
| CVE-2018-1000056 | 1 Jenkins | 1 Junit | 2018-03-06 | 6.5 MEDIUM | 8.3 HIGH |
| Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2018-1000055 | 1 Jenkins | 1 Android Lint | 2018-03-06 | 6.5 MEDIUM | 8.3 HIGH |
| Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2018-2392 | 1 Sap | 1 Internet Graphics Server | 2018-03-01 | 5.0 MEDIUM | 7.5 HIGH |
| Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable. | |||||
| CVE-2018-2393 | 1 Sap | 1 Internet Graphics Server | 2018-03-01 | 5.0 MEDIUM | 7.5 HIGH |
| Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable. | |||||
| CVE-2018-3600 | 1 Trendmicro | 1 Control Manager | 2018-02-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| A external entity processing information disclosure (XXE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to disclose sensitive information on vulnerable installations. | |||||
| CVE-2018-5789 | 1 Extremewireless | 1 Wing | 2018-02-22 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated XML Entity Expansion Denial of Service on the WiNG Access Point / Controller via crafted XML entities to the Web User Interface. | |||||
| CVE-2017-14699 | 1 Asus | 32 Dsl-ac51, Dsl-ac51 Firmware, Dsl-ac52u and 29 more | 2018-02-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| Multiple XML external entity (XXE) vulnerabilities in the AiCloud feature on ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC56U, DSL-N10_C1, DSL-N12U C1, DSL-N12E C1, DSL-N14U, DSL-N14U-B1, DSL-N16, DSL-N16U, DSL-N17U, DSL-N66U, and DSL-AC750 routers allow remote authenticated users to read arbitrary files via a crafted DTD in (1) an UPDATEACCOUNT or (2) a PROPFIND request. | |||||
| CVE-2014-3005 | 2 Fedoraproject, Zabbix | 2 Fedora, Zabbix | 2018-02-21 | 7.5 HIGH | 9.8 CRITICAL |
| XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. | |||||
| CVE-2014-3244 | 1 Sugarcrm | 1 Sugarcrm | 2018-02-15 | 7.5 HIGH | 9.8 CRITICAL |
| XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. | |||||
| CVE-2018-1364 | 1 Ibm | 1 Content Navigator | 2018-02-15 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Content Navigator 2.0 and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 137449. | |||||
| CVE-2018-1000012 | 1 Jenkins | 1 Warnings | 2018-02-07 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | |||||