Total
1079 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-50380 | 1 Apache | 1 Ambari | 2025-03-27 | N/A | 6.5 MEDIUM |
| XML External Entity injection in apache ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue. More Details: Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. The vulnerability was caused through lack of proper user input validation. This vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can exploit XXE vulnerabilities to read arbitrary files on the server, including sensitive system files. In theory, it might be possible to use this to escalate privileges. | |||||
| CVE-2023-49234 | 2025-03-27 | N/A | 6.3 MEDIUM | ||
| An XML external entity (XXE) vulnerability was found in Stilog Visual Planning 8. It allows an authenticated attacker to access local server files and exfiltrate data to an external server. | |||||
| CVE-2025-29932 | 2025-03-27 | N/A | 4.1 MEDIUM | ||
| In JetBrains GoLand before 2025.1 an XXE during debugging was possible | |||||
| CVE-2024-21082 | 1 Oracle | 1 Bi Publisher | 2025-03-26 | N/A | 9.8 CRITICAL |
| Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Supported versions that are affected are 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2022-45588 | 1 Talend | 1 Remote Engine Gen 2 | 2025-03-26 | N/A | 7.8 HIGH |
| All versions before R2022-09 of Talend's Remote Engine Gen 2 are potentially vulnerable to XML External Entity (XXE) type of attacks. Users should download the R2022-09 release or later and use it in place of the previous version. Talend Remote Engine Gen 1 and Talend Cloud Engine for Design are not impacted. This XXE vulnerability could only be exploited by someone with the appropriate rights to edit pipelines on the Talend platform. It could not be triggered remotely or by other user input. | |||||
| CVE-2023-24323 | 1 Mojoportal | 1 Mojoportal | 2025-03-24 | N/A | 8.8 HIGH |
| Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability. | |||||
| CVE-2023-22832 | 1 Apache | 1 Nifi | 2025-03-24 | N/A | 7.5 HIGH |
| The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. | |||||
| CVE-2025-25036 | 2025-03-21 | N/A | 6.8 MEDIUM | ||
| Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8). | |||||
| CVE-2023-24187 | 1 Ureport Project | 1 Ureport | 2025-03-20 | N/A | 7.8 HIGH |
| An XML External Entity (XXE) vulnerability in ureport v2.2.9 allows attackers to execute arbitrary code via uploading a crafted XML file to /ureport/designer/saveReportFile. | |||||
| CVE-2024-21048 | 1 Oracle | 1 Web Applications Desktop Integrator | 2025-03-19 | N/A | 4.3 MEDIUM |
| Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: XML input). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Web Applications Desktop Integrator accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). | |||||
| CVE-2023-22377 | 1 Fujitsu | 2 Tsclinical Define.xml Generator, Tsclinical Metadata Desktop Tools | 2025-03-19 | N/A | 7.4 HIGH |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in tsClinical Define.xml Generator all versions (v1.0.0 to v1.4.0) and tsClinical Metadata Desktop Tools Version 1.0.3 to Version 1.1.0. If this vulnerability is exploited, an attacker may obtain an arbitrary file which meets a certain condition by reading a specially crafted XML file. | |||||
| CVE-2021-33950 | 1 Openkm | 1 Openkm | 2025-03-18 | N/A | 7.5 HIGH |
| An issue discovered in OpenKM v6.3.10 allows attackers to obtain sensitive information via the XMLTextExtractor function. | |||||
| CVE-2023-20855 | 1 Vmware | 2 Vrealize Automation, Vrealize Orchestrator | 2025-03-17 | N/A | 8.8 HIGH |
| VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges. | |||||
| CVE-2025-2365 | 2025-03-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, has been found in crmeb_java up to 1.3.4. Affected by this issue is the function webHook of the file WeChatMessageController.java. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2019-13608 | 1 Citrix | 1 Storefront Server | 2025-03-14 | 5.0 MEDIUM | 7.5 HIGH |
| Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks. | |||||
| CVE-2024-45490 | 1 Libexpat Project | 1 Libexpat | 2025-03-14 | N/A | 7.5 HIGH |
| An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. | |||||
| CVE-2023-26267 | 1 Php-saml-sp Project | 1 Php-saml-sp | 2025-03-14 | N/A | 6.5 MEDIUM |
| php-saml-sp before 1.1.1 and 2.x before 2.1.1 allows reading arbitrary files as the webserver user because resolving XML external entities was silently enabled via \LIBXML_DTDLOAD | \LIBXML_DTDATTR. | |||||
| CVE-2023-39472 | 1 Inductiveautomation | 1 Ignition | 2025-03-13 | N/A | 6.5 MEDIUM |
| Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the SimpleXMLReader class. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the SYSTEM. . Was ZDI-CAN-17571. | |||||
| CVE-2024-21255 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2025-03-13 | N/A | 8.8 HIGH |
| Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: XMLPublisher). Supported versions that are affected are 8.59, 8.60 and 8.61. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2025-0162 | 1 Ibm | 1 Aspera Shares | 2025-03-13 | N/A | 7.1 HIGH |
| IBM Aspera Shares 1.9.9 through 1.10.0 PL7 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||