Total
59 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20104 | 1 Atlassian | 1 Crowd | 2022-01-01 | 5.0 MEDIUM | 7.5 HIGH |
| The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. | |||||
| CVE-2021-38490 | 1 Altova | 1 Mobiletogether Server | 2021-08-18 | 5.0 MEDIUM | 7.5 HIGH |
| Altova MobileTogether Server before 7.3 SP1 allows XML exponential entity expansion, a different vulnerability than CVE-2021-37425. | |||||
| CVE-2019-15160 | 1 Kbrw | 1 Sweet Xml | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD. | |||||
| CVE-2020-3946 | 1 Vmware | 1 Installbuilder | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| InstallBuilder AutoUpdate tool and regular installers enabling <checkForUpdates> built with versions earlier than 19.11 are vulnerable to Billion laughs attack (denial-of-service). | |||||
| CVE-2012-6685 | 2 Nokogiri, Redhat | 8 Nokogiri, Cloudforms Management Engine, Enterprise Mrg and 5 more | 2021-07-15 | 5.0 MEDIUM | 7.5 HIGH |
| Nokogiri before 1.5.4 is vulnerable to XXE attacks | |||||
| CVE-2013-6460 | 3 Debian, Nokogiri, Redhat | 7 Debian Linux, Nokogiri, Cloudforms Management Engine and 4 more | 2021-07-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents | |||||
| CVE-2013-6461 | 3 Debian, Nokogiri, Redhat | 7 Debian Linux, Nokogiri, Cloudforms Management Engine and 4 more | 2021-07-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits | |||||
| CVE-2020-15303 | 1 Infoblox | 1 Nios | 2021-07-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| Infoblox NIOS before 8.5.2 allows entity expansion during an XML upload operation, a related issue to CVE-2003-1564. | |||||
| CVE-2021-32623 | 1 Apereo | 1 Opencast | 2021-06-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue. | |||||
| CVE-2020-24665 | 1 Hitachi | 1 Vantara Pentaho | 2021-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains an XML Entity Expansion injection vulnerability, which allows an authenticated remote users to trigger a denial of service (DoS) condition. Specifically, the vulnerability lies in the 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, >= 8.3.0.0 GA | |||||
| CVE-2021-1267 | 1 Cisco | 1 Firepower Management Center | 2021-01-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the dashboard widget of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by crafting an XML-based widget on an affected server. A successful exploit could cause increased memory and CPU utilization, which could result in a DoS condition. | |||||
| CVE-2017-5644 | 1 Apache | 1 Poi | 2020-10-20 | 7.1 HIGH | 5.5 MEDIUM |
| Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. | |||||
| CVE-2019-5442 | 1 Pippo | 1 Pippo | 2020-10-16 | 5.0 MEDIUM | 7.5 HIGH |
| XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will continue to be exhausted and will affect other processes on the system. | |||||
| CVE-2012-3340 | 1 Ibm | 1 Infosphere Guardium | 2020-09-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM InfoSphere Guardium 8.0, 8.01, and 8.2 is vulnerable to XML external entity injection, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 78291. | |||||
| CVE-2020-24590 | 1 Wso2 | 2 Api Manager, Api Microgateway | 2020-08-27 | 6.4 MEDIUM | 9.1 CRITICAL |
| The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks. | |||||
| CVE-2020-11462 | 1 Openvpn | 1 Openvpn Access Server | 2020-05-12 | 4.3 MEDIUM | 7.5 HIGH |
| An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable. | |||||
| CVE-2014-2228 | 1 Talend | 1 Restlet | 2020-03-06 | 7.5 HIGH | 9.8 CRITICAL |
| The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages. | |||||
| CVE-2013-4335 | 1 Openpne | 1 Opopensocialplugin | 2020-02-11 | 7.5 HIGH | 9.8 CRITICAL |
| opOpenSocialPlugin 0.8.2.1, > 0.9.9.2, 0.9.13, 1.2.6: Multiple XML External Entity Injection Vulnerabilities | |||||
| CVE-2020-6856 | 1 Sos-berlin | 1 Jobscheduler | 2020-02-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| An XML External Entity (XEE) vulnerability exists in the JOC Cockpit component of SOS JobScheduler 1.12 and 1.13.2 allows attackers to read files from the server via an entity declaration in any of the XML documents that are used to specify the run-time settings of jobs and orders. | |||||