Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-1000090 1Textpattern 1Textpattern Nov 21, 2024 Mar 13, 2018 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear t...Show more textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file.Show less
CVE-2018-1000069 2Debian Freeplane 2Debian Linux Freeplane Nov 21, 2024 Mar 13, 2018 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 FreePlane version 1.5.9 and earlier contains a XML External Entity (XXE) vulnerability in XML Parser in mindmap loader that can result in stealing data from victim's machine. This attack appears to require the victim to...Show more FreePlane version 1.5.9 and earlier contains a XML External Entity (XXE) vulnerability in XML Parser in mindmap loader that can result in stealing data from victim's machine. This attack appears to require the victim to open a specially crafted mind map file. This vulnerability appears to have been fixed in 1.6+.Show less
CVE-2018-5758 1Aurea 1Jive N Nov 21, 2024 Mar 12, 2018 N/A· v4 6.5 MEDIUM· v3 6.8 MEDIUM· v2 The Upload File functionality in upload.jspa in Aurea Jive Jive-n 9.0.2.1 On-Premises allows for an XML External Entity attack through a crafted file, allowing attackers to read arbitrary files.
CVE-2016-0250 1Ibm 1Infosphere Information Server Nov 21, 2024 Mar 12, 2018 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 XML external entity (XXE) vulnerability in IBM InfoSphere Information Governance Catalog 11.3 before 11.3.1.2 and 11.5 before 11.5.0.1 allows remote authenticated users to read arbitrary files or cause a denial of servic...Show more XML external entity (XXE) vulnerability in IBM InfoSphere Information Governance Catalog 11.3 before 11.3.1.2 and 11.5 before 11.5.0.1 allows remote authenticated users to read arbitrary files or cause a denial of service via crafted XML data. IBM X-Force ID: 110510.Show less
CVE-2018-7230 1Schneider Electric 20Ibp1110 1er Firmware Ibp219 1er FirmwareIbp319 1er Firmware+17 more Nov 21, 2024 Mar 9, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67.
CVE-2016-0268 1Ibm 1Financial Transaction Manager Nov 21, 2024 Mar 9, 2018 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 XML external entity (XXE) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-P...Show more XML external entity (XXE) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, and Financial Transaction Manager (FTM) for Corporate Payment Services (CPS) for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013 allows remote authenticated users to obtain sensitive information via crafted XML data. IBM X-Force ID: 110915.Show less
CVE-2018-0218 1Cisco 1Secure Access Control Server Solution Engine Nov 21, 2024 Mar 8, 2018 N/A· v4 3.3 LOW· v3 4.3 MEDIUM· v2 A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected sy...Show more A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70616.Show less
CVE-2018-0207 1Cisco 1Secure Access Control Server Solution Engine Nov 21, 2024 Mar 8, 2018 N/A· v4 3.3 LOW· v3 4.3 MEDIUM· v2 A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected sy...Show more A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70595.Show less
CVE-2017-7426 1Netiq 1Identity Manager Nov 21, 2024 Mar 1, 2018 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 The NetIQ Identity Manager Plugins before 4.6.1 contained various XML External XML Entity (XXE) handling flaws that could be used by attackers to leak information or cause denial of service attacks.
CVE-2017-18197 1Jgraph 1Mxgraph Nov 21, 2024 Feb 24, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserFactory instance in convert() is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by /ServerView.
CVE-2018-6489 1Microfocus 1Project And Portfolio Management Center Nov 21, 2024 Feb 22, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 XML External Entity (XXE) vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability can be exploited to allow XML External Entity (XXE)
CVE-2017-1758 1Ibm 3Control Center Financial Transaction ManagerTransformation Extender Advanced Nov 21, 2024 Feb 21, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Financial Transaction Manager for ACH Services for Multi-Platform (IBM Control Center 6.0 and 6.1, IBM Financial Transaction Manager 3.0.2, 3.0.3, 3.0.4, and 3.1.0, IBM Transformation Extender Advanced 9.0) is vulner...Show more IBM Financial Transaction Manager for ACH Services for Multi-Platform (IBM Control Center 6.0 and 6.1, IBM Financial Transaction Manager 3.0.2, 3.0.3, 3.0.4, and 3.1.0, IBM Transformation Extender Advanced 9.0) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 135859.Show less
CVE-2016-0369 1Ibm 1Forms Experience Builder Nov 21, 2024 Feb 21, 2018 N/A· v4 2.7 LOW· v3 4.0 MEDIUM· v2 XML external entity (XXE) vulnerability in IBM Forms Experience Builder 8.5, 8.5.1, and 8.6 allows remote authenticated users to obtain sensitive information via crafted XML data. IBM X-Force ID: 112088.
CVE-2017-7375 3Debian GoogleXmlsoft 3Android Debian LinuxLibxml2 Dec 3, 2025 Feb 19, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Dependin...Show more A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).Show less
CVE-2017-5828 1Hp 1Aruba Clearpass Policy Manager Nov 21, 2024 Feb 15, 2018 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 An arbitrary command execution vulnerability in HPE Aruba ClearPass Policy Manager version 6.6.x was found.
CVE-2018-2393 1Sap 1Internet Graphics Server Nov 21, 2024 Feb 14, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.
CVE-2018-2392 1Sap 1Internet Graphics Server Nov 21, 2024 Feb 14, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.
CVE-2018-1000056 1Jenkins 1Junit Nov 21, 2024 Feb 9, 2018 N/A· v4 8.3 HIGH· v3 6.5 MEDIUM· v2 Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perfo...Show more Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.Show less
CVE-2018-1000055 1Jenkins 1Android Lint Nov 21, 2024 Feb 9, 2018 N/A· v4 8.3 HIGH· v3 6.5 MEDIUM· v2 Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master,...Show more Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.Show less
CVE-2018-1000054 1Jenkins 1Ccm Nov 21, 2024 Feb 9, 2018 N/A· v4 8.3 HIGH· v3 6.5 MEDIUM· v2 Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform...Show more Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.Show less

Previous 1...535455...63 Next