Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-3600 1Trendmicro 1Control Manager Nov 21, 2024 Feb 9, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A external entity processing information disclosure (XXE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to disclose sensitive information on vulnerable installations.
CVE-2018-1307 1Apache 1Juddi Nov 21, 2024 Feb 9, 2018 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections pre...Show more In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5.Show less
CVE-2018-5789 1Extremewireless 1Wing Nov 21, 2024 Feb 5, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated XML Entity Expansion Denial of Service on the WiNG Access Point / Controlle...Show more An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated XML Entity Expansion Denial of Service on the WiNG Access Point / Controller via crafted XML entities to the Web User Interface.Show less
CVE-2018-6486 1Microfocus 2Fortify Audit Workbench Fortify Software Security Center Nov 21, 2024 Feb 2, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a...Show more XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.Show less
CVE-2014-3244 1Sugarcrm 1Sugarcrm Nov 21, 2024 Feb 1, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.
CVE-2014-3005 2Fedoraproject Zabbix 2Fedora Zabbix Nov 21, 2024 Feb 1, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbit...Show more XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.Show less
CVE-2018-1364 1Ibm 1Content Navigator Nov 21, 2024 Jan 29, 2018 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM Content Navigator 2.0 and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memo...Show more IBM Content Navigator 2.0 and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 137449.Show less
CVE-2017-14699 1Asus 16Dsl Ac51 Firmware Dsl Ac52u FirmwareDsl Ac55u Firmware+13 more Nov 21, 2024 Jan 29, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Multiple XML external entity (XXE) vulnerabilities in the AiCloud feature on ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC56U, DSL-N10_C1, DSL-N12U C1, DSL-N12E C1, DSL-N14U, DSL-N14U-B1, DSL-N16,...Show more Multiple XML external entity (XXE) vulnerabilities in the AiCloud feature on ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC56U, DSL-N10_C1, DSL-N12U C1, DSL-N12E C1, DSL-N14U, DSL-N14U-B1, DSL-N16, DSL-N16U, DSL-N17U, DSL-N66U, and DSL-AC750 routers allow remote authenticated users to read arbitrary files via a crafted DTD in (1) an UPDATEACCOUNT or (2) a PROPFIND request.Show less
CVE-2018-1000012 1Jenkins 1Warnings Nov 21, 2024 Jan 23, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, pe...Show more Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.Show less
CVE-2018-1000011 1Jenkins 1Findbugs Nov 21, 2024 Jan 23, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, pe...Show more Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.Show less
CVE-2018-1000010 1Jenkins 1Dry Nov 21, 2024 Jan 23, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform...Show more Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.Show less
CVE-2018-1000009 1Jenkins 1Checkstyle Nov 21, 2024 Jan 23, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master,...Show more Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.Show less
CVE-2018-1000008 1Jenkins 1Pmd Nov 21, 2024 Jan 23, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform...Show more Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.Show less
CVE-2018-0108 1Cisco 1Webex Meetings Server Nov 21, 2024 Jan 18, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to collect customer files via an out-of-band XML External Entity (XXE) injection. An attacker could exploit this vulnerabilit...Show more A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to collect customer files via an out-of-band XML External Entity (XXE) injection. An attacker could exploit this vulnerability to gain information to conduct additional reconnaissance attacks. The vulnerability is due to the ability of an attacker to perform an out-of-band XXE injection on the system, which could allow an attacker to capture customer files and redirect them to another destination address. An exploit could allow the attacker to discover sensitive customer data. Cisco Bug IDs: CSCvg36996.Show less
CVE-2018-0100 1Cisco 1Anyconnect Secure Mobility Client Nov 21, 2024 Jan 18, 2018 N/A· v4 4.4 MEDIUM· v3 3.6 LOW· v2 A vulnerability in the Profile Editor of the Cisco AnyConnect Secure Mobility Client could allow an unauthenticated, local attacker to have read and write access to information stored in the affected system. The vulnerab...Show more A vulnerability in the Profile Editor of the Cisco AnyConnect Secure Mobility Client could allow an unauthenticated, local attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of the XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by injecting a crafted XML file with malicious entries, which could allow the attacker to read and write files. Cisco Bug IDs: CSCvg19341.Show less
CVE-2016-0219 1Ibm 8Rational Collaborative Lifecycle Management Rational Doors Next GenerationRational Engineering Lifecycle Manager+5 more Nov 21, 2024 Jan 16, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 XML external entity (XXE) vulnerability in IBM Rational Team Concert 3.0 before 3.0.1.6 iFix7 Interim Fix 1, 4.0 before 4.0.7 iFix10, 5.0 before 5.0.2 iFix15, and 6.0 before 6.0.1 iFix4 allows remote authenticated users...Show more XML external entity (XXE) vulnerability in IBM Rational Team Concert 3.0 before 3.0.1.6 iFix7 Interim Fix 1, 4.0 before 4.0.7 iFix10, 5.0 before 5.0.2 iFix15, and 6.0 before 6.0.1 iFix4 allows remote authenticated users to cause a denial of service via crafted XML data. IBM X-Force ID: 109693.Show less
CVE-2017-1666 1Ibm 1Security Key Lifecycle Manager Nov 21, 2024 Jan 9, 2018 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive informatio...Show more IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 133540.Show less
CVE-2017-1000477 1Xmlbundle Project 1Xmlbundle Nov 21, 2024 Jan 3, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks.
CVE-2017-1000498 1Androidsvg Project 1Androidsvg Nov 21, 2024 Jan 3, 2018 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsing component resulting in denial of service and possibly remote code execution
CVE-2017-1000497 1Pepperminty Wiki Project 1Pepperminty Wiki Nov 21, 2024 Jan 3, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the getsvgsize function resulting in denial of service and possibly remote code execution

Previous 1...545556...63 Next