Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-0765 1Microsoft 2.net Core .net Framework Nov 21, 2024 May 9, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents, aka ".NET and .NET Core Denial of Service Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Frame...Show more A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents, aka ".NET and .NET Core Denial of Service Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.7.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.7/4.7.1, Microsoft .NET Framework 4.6, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6.2/4.7/4.7.1, .NET Core 2.0, Microsoft .NET Framework 4.7.2.Show less
CVE-2018-1247 1Rsa 1Authentication Manager Nov 21, 2024 May 8, 2018 N/A· v4 7.1 HIGH· v3 5.8 MEDIUM· v2 RSA Authentication Manager Security Console, version 8.3 and earlier, contains a XML External Entity (XXE) vulnerability. This could potentially allow admin users to cause a denial of service or extract server data via i...Show more RSA Authentication Manager Security Console, version 8.3 and earlier, contains a XML External Entity (XXE) vulnerability. This could potentially allow admin users to cause a denial of service or extract server data via injecting a maliciously crafted DTD in an XML file submitted to the application.Show less
CVE-2018-1183 1Dell 16Emc Smis Emc Solutions Enabler Virtual ApplianceEmc Unisphere+13 more Nov 21, 2024 Apr 30, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.8, Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.8, Dell EMC VASA Provider Virtual Appliance versions prior to 8.4.0.512, De...Show more In Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.8, Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.8, Dell EMC VASA Provider Virtual Appliance versions prior to 8.4.0.512, Dell EMC SMIS versions prior to 8.4.0.6, Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4.0.347, Dell EMC VNX2 Operating Environment (OE) for File versions prior to 8.1.9.231, Dell EMC VNX2 Operating Environment (OE) for Block versions prior to 05.33.009.5.231, Dell EMC VNX1 Operating Environment (OE) for File versions prior to 7.1.82.0, Dell EMC VNX1 Operating Environment (OE) for Block versions prior to 05.32.000.5.225, Dell EMC VNXe3200 Operating Environment (OE) all versions, Dell EMC VNXe1600 Operating Environment (OE) versions prior to 3.1.9.9570228, Dell EMC VNXe 3100/3150/3300 Operating Environment (OE) all versions, Dell EMC ViPR SRM versions 3.7, 3.7.1, 3.7.2 (only if using Dell EMC Host Interface for Windows), Dell EMC ViPR SRM versions 4.0, 4.0.1, 4.0.2, 4.0.3 (only if using Dell EMC Host Interface for Windows), Dell EMC XtremIO versions 4.x, Dell EMC VMAX eNAS version 8.x, Dell EMC Unity Operating Environment (OE) versions prior to 4.3.0.1522077968, ECOM is affected by a XXE injection vulnerability due to the configuration of the XML parser shipped with the product. XXE Injection attack may occur when XML input containing a reference to an external entity (defined by the attacker) is processed by an affected XML parser. XXE Injection may allow attackers to gain unauthorized access to files containing sensitive information or may be used to cause denial-of-service.Show less
CVE-2017-15691 1Apache 4Uima As UimaduccUimafit+1 more Nov 21, 2024 Apr 26, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external en...Show more In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.Show less
CVE-2018-10175 1Digitalguardian 1Management Console Nov 21, 2024 Apr 20, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Digital Guardian Management Console 7.1.2.0015 has an XXE issue.
CVE-2018-10077 1Vertiv 1Watchdog Console Nov 21, 2024 Apr 20, 2018 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 XML external entity (XXE) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to read arbitrary files via crafted XML data.
CVE-2014-0950 1Ibm 1Rational Clearquest Nov 21, 2024 Apr 20, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 Multiple XML external entity (XXE) vulnerabilities in (1) CQWeb / CM Server, (2) ClearQuest Native client, (3) ClearQuest Eclipse client, and (4) ClearQuest Eclipse Designer components in IBM Rational ClearQuest 7.1.1 th...Show more Multiple XML external entity (XXE) vulnerabilities in (1) CQWeb / CM Server, (2) ClearQuest Native client, (3) ClearQuest Eclipse client, and (4) ClearQuest Eclipse Designer components in IBM Rational ClearQuest 7.1.1 through 7.1.1.9, 7.1.2 through 7.1.2.13, 8.0.0 through 8.0.0.10, and 8.0.1 through 8.0.1.3 allow remote attackers to cause a denial of service or access other servers via crafted XML data. IBM X-Force ID: 92623.Show less
CVE-2014-0931 1Ibm 1Rational Clearcase Nov 21, 2024 Apr 20, 2018 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Multiple XML external entity (XXE) vulnerabilities in the (1) CCRC WAN Server / CM Server, (2) Perl CC/CQ integration trigger scripts, (3) CMAPI Java interface, (4) ClearCase remote client, and (5) CMI and OSLC-based Cle...Show more Multiple XML external entity (XXE) vulnerabilities in the (1) CCRC WAN Server / CM Server, (2) Perl CC/CQ integration trigger scripts, (3) CMAPI Java interface, (4) ClearCase remote client, and (5) CMI and OSLC-based ClearQuest integrations components in IBM Rational ClearCase 7.1.0.x, 7.1.1.x, 7.1.2 through 7.1.2.13, 8.0 through 8.0.0.10, and 8.0.1 through 8.0.1.3 allow remote attackers to cause a denial of service or access other servers via crafted XML data. IBM X-Force ID: 92263.Show less
CVE-2017-8315 1Eclipse 1Ide Nov 21, 2024 Apr 20, 2018 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier was found vulnerable to an XML External Entity attack. An attacker can exploit the vulnerability by implementing malicious code on Androidmanifest.xml.
CVE-2017-6323 1Symantec 1Management Console Nov 21, 2024 Apr 16, 2018 N/A· v4 8.0 HIGH· v3 5.2 MEDIUM· v2 The Symantec Management Console prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6, and ITMS 7.6_POST_HF7 has an issue whereby XML input containing a reference to an external entity is processed by a weakly configured XML parser....Show more The Symantec Management Console prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6, and ITMS 7.6_POST_HF7 has an issue whereby XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.Show less
CVE-2018-1308 2Apache Debian 2Debian Linux Solr Nov 21, 2024 Apr 9, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file...Show more This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.Show less
CVE-2018-1421 1Ibm 1Datapower Gateway Nov 21, 2024 Apr 4, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM WebSphere DataPower Appliances 7.1, 7.2, 7.5, 7.5.1, 7.5.2, and 7.6 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose...Show more IBM WebSphere DataPower Appliances 7.1, 7.2, 7.5, 7.5.1, 7.5.2, and 7.6 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 139023.Show less
CVE-2018-9116 1Wiremock 1Wiremock Nov 21, 2024 Mar 29, 2018 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 An XXE vulnerability within WireMock before 2.16.0 allows a remote unauthenticated attacker to access local files and internal resources and potentially cause a Denial of Service.
CVE-2015-7461 1Ibm 1Connections Nov 21, 2024 Mar 20, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 XML external entity (XXE) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote authenticated users to cause a denial of service (memory consumption) via crafted XML data. IBM X...Show more XML external entity (XXE) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote authenticated users to cause a denial of service (memory consumption) via crafted XML data. IBM X-Force ID: 108357.Show less
CVE-2014-3990 1Opencart 1Opencart Nov 21, 2024 Mar 20, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks...Show more The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object, related to the quantity parameter in an update request.Show less
CVE-2018-6225 1Trendmicro 1Email Encryption Gateway Nov 21, 2024 Mar 15, 2018 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An XML external entity injection (XXE) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an authenticated user to expose a normally protected configuration script.
CVE-2018-2401 1Redwood 1Sap Business Process Automation Nov 21, 2024 Mar 14, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SAP Business Process Automation (BPA) By Redwood does not sufficiently validate an XML document accepted from an untrusted source resulting in an XML External Entity (XXE) vulnerability.
CVE-2018-1077 1Redhat 2Satellite Spacewalk Nov 21, 2024 Mar 14, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Spacewalk 2.6 contains an API which has an XXE flaw allowing for the disclosure of potentially sensitive information from the server.
CVE-2018-0878 1Microsoft 7Windows 10 Windows 7Windows 8.1+4 more Apr 4, 2025 Mar 14, 2018 N/A· v4 3.1 LOW· v3 2.6 LOW· v2 Windows Remote Assistance in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows S...Show more Windows Remote Assistance in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to how XML External Entities (XXE) are processed, aka "Windows Remote Assistance Information Disclosure Vulnerability".Show less
CVE-2018-1000124 1Scilico 1I, Librarian Dec 5, 2025 Mar 13, 2018 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of importmetadata.php(simplexml_load_string) that can result in an attacker reading the contents of a file an...Show more I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of importmetadata.php(simplexml_load_string) that can result in an attacker reading the contents of a file and SSRF. This attack appear to be exploitable via posting xml in the Parameter form_import_textarea.Show less

Previous 1...525354...63 Next