Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-1000542 1Netbeans Mmd Plugin Project 1Netbeans Mmd Plugin Nov 21, 2024 Jun 26, 2018 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 netbeans-mmd-plugin version <= 1.4.3 contains a XML External Entity (XXE) vulnerability in MMD file import that can result in Possible information disclosure, server-side request forgery, or remote code execution. This a...Show more netbeans-mmd-plugin version <= 1.4.3 contains a XML External Entity (XXE) vulnerability in MMD file import that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted MMD file.Show less
CVE-2018-1000540 1Loboevolution Project 1Loboevolution Nov 21, 2024 Jun 26, 2018 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 LoboEvolution version < 9b75694cedfa4825d4a2330abf2719d470c654cd contains a XML External Entity (XXE) vulnerability in XML Parsing when viewing the XML file in the browser that can result in disclosure of confidential da...Show more LoboEvolution version < 9b75694cedfa4825d4a2330abf2719d470c654cd contains a XML External Entity (XXE) vulnerability in XML Parsing when viewing the XML file in the browser that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted XML file.Show less
CVE-2018-1000515 1News Articles Project 1News Articles Nov 21, 2024 Jun 26, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ventrian News-Articles version NewsArticles.00.09.11 contains a XML External Entity (XXE) vulnerability in News-Articles/API/MetaWebLog/Handler.ashx.vb that can result in Attacker can read any file in the server or use s...Show more ventrian News-Articles version NewsArticles.00.09.11 contains a XML External Entity (XXE) vulnerability in News-Articles/API/MetaWebLog/Handler.ashx.vb that can result in Attacker can read any file in the server or use smbrelay attack to access to server..Show less
CVE-2018-8819 1Carrier 1Automatedlogic Webctrl Nov 21, 2024 Jun 14, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the app...Show more An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.Show less
CVE-2018-5434 1Tibco 1Runtime Agent Nov 21, 2024 Jun 13, 2018 N/A· v4 6.5 MEDIUM· v3 6.8 MEDIUM· v2 The TIBCO Designer component of TIBCO Software Inc.'s TIBCO Runtime Agent, and TIBCO Runtime Agent for z/Linux contains vulnerabilities wherein a malicious user could perform XML external entity expansion (XXE) attacks t...Show more The TIBCO Designer component of TIBCO Software Inc.'s TIBCO Runtime Agent, and TIBCO Runtime Agent for z/Linux contains vulnerabilities wherein a malicious user could perform XML external entity expansion (XXE) attacks to disclose host machine information. Affected releases are TIBCO Software Inc.'s TIBCO Runtime Agent: versions up to and including 5.10.0, and TIBCO Runtime Agent for z/Linux: versions up to and including 5.9.1.Show less
CVE-2018-5433 1Tibco 1Administrator Nov 21, 2024 Jun 13, 2018 N/A· v4 6.5 MEDIUM· v3 6.8 MEDIUM· v2 The TIBCO Administrator server component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, and TIBCO Administrator - Enterprise Edition for z/Linux contains vulnerabilities wherein a malicious user could...Show more The TIBCO Administrator server component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, and TIBCO Administrator - Enterprise Edition for z/Linux contains vulnerabilities wherein a malicious user could perform XML external entity expansion (XXE) attacks to disclose host machine information. Affected releases are TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition: versions up to and including 5.10.0, and TIBCO Administrator - Enterprise Edition for z/Linux: versions up to and including 5.9.1.Show less
CVE-2017-3208 1Themidnightcoders 1Weborb For Java Nov 21, 2024 Jun 11, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is...Show more The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.Show less
CVE-2017-3206 1Exadel 1Flamingo Nov 21, 2024 Jun 11, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is han...Show more The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.Show less
CVE-2018-6670 1Mcafee 1Common Catalog Nov 21, 2024 Jun 7, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 External Entity Attack vulnerability in the ePO extension in McAfee Common UI (CUI) 2.0.2 allows remote authenticated users to view confidential information via a crafted HTTP request parameter.
CVE-2018-1456 1Ibm 2Rational Rhapsody Design Manager Rational Software Architect Design Manager Nov 21, 2024 Jun 6, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Rhapsody DM 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive infor...Show more IBM Rhapsody DM 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 140091.Show less
CVE-2018-11586 1Searchblox 1Searchblox Nov 21, 2024 Jun 5, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 XML external entity (XXE) vulnerability in api/rest/status in SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML...Show more XML external entity (XXE) vulnerability in api/rest/status in SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.Show less
CVE-2018-1000198 1Jenkins 1Black Duck Hub Nov 21, 2024 Jun 5, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eterna...Show more A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XML document.Show less
CVE-2018-10613 1Ge 1Mds Pulsenet Nov 21, 2024 Jun 4, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior.
CVE-2018-10653 1Citrix 1Xenmobile Server Nov 21, 2024 May 23, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 There is an XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
CVE-2018-1309 1Apache 1Nifi Nov 21, 2024 May 23, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype decl...Show more Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.Show less
CVE-2018-8010 1Apache 1Solr Nov 21, 2024 May 21, 2018 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality pr...Show more This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr's ResourceLoader); usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs.Show less
CVE-2018-4942 1Adobe 1Coldfusion May 6, 2025 May 19, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Unsafe XML External Entity Processing vulnerability. Successful exploitation could lead to information disc...Show more Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Unsafe XML External Entity Processing vulnerability. Successful exploitation could lead to information disclosure.Show less
CVE-2017-2815 1Igniterealtime 1User Import Export Nov 21, 2024 May 15, 2018 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. A specially crafted web request can cause the retrieval of arbitrary files or denial of service. An authenticated atta...Show more An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. A specially crafted web request can cause the retrieval of arbitrary files or denial of service. An authenticated attacker can send a crafted web request to trigger this vulnerability.Show less
CVE-2018-10832 1Modbuspal Project 1Modbuspal Nov 21, 2024 May 11, 2018 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a craf...Show more ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal, will return the contents of any local files to a remote attacker.Show less
CVE-2018-1259 2Pivotal Software Xmlbeam 3Spring Data Commons Spring Data RestXmlbeam Nov 21, 2024 May 11, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML exte...Show more Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.Show less

Previous 1...515253...63 Next