Total
1135 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2905 | 2025-05-05 | N/A | 9.1 CRITICAL | ||
| An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. * On systems running JDK 7 or early JDK 8, full file contents may be exposed. * On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior. * DoS attacks such as "Billion Laughs" payloads can cause service disruption. | |||||
| CVE-2022-21220 | 1 Intel | 1 Quartus Prime | 2025-05-05 | 4.6 MEDIUM | 7.8 HIGH |
| Improper restriction of XML external entity for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-21205 | 1 Intel | 1 Quartus Prime | 2025-05-05 | 5.0 MEDIUM | 7.5 HIGH |
| Improper restriction of XML external entity reference in DSP Builder Pro for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an unauthenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2020-25020 | 2 Mpxj, Oracle | 2 Mpxj, Primavera Unifier | 2025-05-05 | 7.5 HIGH | 9.8 CRITICAL |
| MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components. | |||||
| CVE-2022-40747 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-05 | N/A | 9.1 CRITICAL |
| "IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584." | |||||
| CVE-2022-37911 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2025-05-02 | N/A | 3.8 LOW |
| Due to improper restrictions on XML entities multiple vulnerabilities exist in the command line interface of ArubaOS. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition. | |||||
| CVE-2022-45386 | 1 Jenkins | 1 Violations | 2025-04-30 | N/A | 5.5 MEDIUM |
| Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-45395 | 1 Jenkins | 1 Cccc | 2025-04-30 | N/A | 9.8 CRITICAL |
| Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-45400 | 1 Jenkins | 1 Japex | 2025-04-30 | N/A | 9.8 CRITICAL |
| Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-45397 | 1 Jenkins | 1 Osf Builder Suite \ | 2025-04-30 | N/A | 9.8 CRITICAL |
| Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-45396 | 1 Jenkins | 1 Sourcemonitor | 2025-04-30 | N/A | 9.8 CRITICAL |
| Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-43689 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | N/A | 5.3 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. | |||||
| CVE-2022-3980 | 1 Sophos | 1 Mobile | 2025-04-29 | N/A | 9.8 CRITICAL |
| An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4. | |||||
| CVE-2025-2070 | 2025-04-29 | N/A | 5.0 MEDIUM | ||
| An improper XML parsing vulnerability was reported in the FileZ client that could allow arbitrary file reads on the system if a crafted url is visited by a local user. | |||||
| CVE-2022-40771 | 1 Zohocorp | 4 Manageengine Assetexplorer, Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp and 1 more | 2025-04-28 | N/A | 4.9 MEDIUM |
| Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure. | |||||
| CVE-2022-46682 | 1 Jenkins | 1 Plot | 2025-04-23 | N/A | 9.8 CRITICAL |
| Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-45326 | 1 Kwoksys | 1 Information Server | 2025-04-23 | N/A | 4.9 MEDIUM |
| An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks. | |||||
| CVE-2017-3811 | 1 Cisco | 1 Webex Meetings Server | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| An XML External Entity vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc39165. Known Affected Releases: 2.6. Known Fixed Releases: 2.7.1.2054. | |||||
| CVE-2016-5795 | 2 Automatedlogic, Carrier | 3 I-vu, Sitescan Web, Automatedlogic Webctrl | 2025-04-20 | 7.5 HIGH | 7.3 HIGH |
| An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network. | |||||
| CVE-2017-9231 | 1 Citrix | 1 Xenmobile Server | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| XML external entity (XXE) vulnerability in Citrix XenMobile Server 9.x and 10.x before 10.5 RP3 allows attackers to obtain sensitive information via unspecified vectors. | |||||