Total
927 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-9181 | 1 Image-info Project | 1 Image-info For Perl | 2024-02-04 | 5.8 MEDIUM | 7.1 HIGH |
perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure. | |||||
CVE-2016-5749 | 1 Netiq | 1 Access Manager | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML External Entity (XXE) attack. | |||||
CVE-2016-9318 | 3 Canonical, Xmlsec Project, Xmlsoft | 3 Ubuntu Linux, Xmlsec, Libxml2 | 2024-02-04 | 4.3 MEDIUM | 5.5 MEDIUM |
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. | |||||
CVE-2017-8913 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873. | |||||
CVE-2017-6895 | 1 Usb Pratirodh Project | 1 Usb Pratirodh | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
USB Pratirodh allows remote attackers to conduct XML External Entity (XXE) attacks via XML data in usb.xml. | |||||
CVE-2016-7459 | 1 Vmware | 1 Vcenter Server | 2024-02-04 | 4.0 MEDIUM | 7.7 HIGH |
VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
CVE-2016-8348 | 1 Emerson | 1 Liebert Sitescan Web | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version 6.5, and prior. An attacker may enter malicious input to Liebert SiteScan through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network. | |||||
CVE-2016-7051 | 1 Fasterxml | 1 Jackson-dataformat-xml | 2024-02-04 | 5.0 MEDIUM | 8.6 HIGH |
XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD. | |||||
CVE-2017-1103 | 1 Ibm | 2 Rational Quality Manager, Rational Team Concert | 2024-02-04 | 7.5 HIGH | 8.1 HIGH |
IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 120665. | |||||
CVE-2015-7743 | 1 Paessler | 1 Prtg Network Monitor | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
XML external entity vulnerability in PRTG Network Monitor before 16.2.23.3077/3078 allows remote authenticated users to read arbitrary files by creating a new HTTP XML/REST Value sensor that accesses a crafted XML file. | |||||
CVE-2016-7458 | 1 Vmware | 1 Vsphere Client | 2024-02-04 | 5.0 MEDIUM | 5.8 MEDIUM |
VMware vSphere Client 5.5 before U3e and 6.0 before U2a allows remote vCenter Server and ESXi instances to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
CVE-2017-1289 | 1 Ibm | 1 Sdk | 2024-02-04 | 6.4 MEDIUM | 8.2 HIGH |
IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150. | |||||
CVE-2016-6111 | 1 Ibm | 1 Curam Social Program Management | 2024-02-04 | 8.5 HIGH | 9.1 CRITICAL |
IBM Curam Social Program Management 6.0 and 7.0 are vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 2000833. | |||||
CVE-2016-0284 | 1 Ibm | 7 Rational Collaborative Lifecycle Management, Rational Doors Next Generation, Rational Engineering Lifecycle Manager and 4 more | 2024-02-04 | 5.5 MEDIUM | 5.4 MEDIUM |
The XML parser in IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Quality Manager 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Team Concert 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational DOORS Next Generation 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5 allows remote authenticated users to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
CVE-2016-3055 | 1 Ibm | 1 Filenet Workplace | 2024-02-04 | 5.5 MEDIUM | 8.1 HIGH |
IBM FileNet Workplace 4.0.2 before 4.0.2.14 LA012 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
CVE-2016-4047 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result an attacker can track access to a manipulated document. Usage of a document may get tracked and information about internal infrastructure may get exposed. | |||||
CVE-2017-5661 | 1 Apache | 1 Formatting Objects Processor | 2024-02-04 | 7.9 HIGH | 7.3 HIGH |
In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. | |||||
CVE-2016-9691 | 1 Ibm | 1 Websphere Cast Iron Solution | 2024-02-04 | 9.0 HIGH | 8.6 HIGH |
IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 119515. | |||||
CVE-2016-5851 | 1 Python-openxml Project | 1 Python-docx | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document. | |||||
CVE-2016-4312 | 1 Wso2 | 1 Identity Server | 2024-02-04 | 6.0 MEDIUM | 7.5 HIGH |
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials. |