Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,249)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-22024 1Ivanti 3Connect Secure Policy SecureZero Trust Access Gateway Oct 31, 2025 Feb 13, 2024 N/A· v4 8.3 HIGH· v3 N/A· v2 An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources wi...Show more An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.Show less
CVE-2024-24743 1Sap 1Netweaver Application Server Java Nov 21, 2024 Feb 13, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensi...Show more SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected. Show less
CVE-2023-52239 1Magicsoftware 1Magic Xpi Integration Platform Jun 17, 2025 Feb 6, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The XML parser in Magic xpi Integration Platform 4.13.4 allows XXE attacks, e.g., via onItemImport.
CVE-2023-32327 1Ibm 2Security Verify Access Security Verify Access Docker Nov 3, 2025 Feb 3, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XX...Show more IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 254783.Show less
CVE-2024-1167 1Seweurodrive 1Movitools Motionstudio Nov 21, 2024 Feb 1, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.
CVE-2023-4554 1Opentext 1Appbuilder Nov 21, 2024 Jan 29, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder on Windows, Linux allows Server Side Request Forgery, Probe System Files. AppBuilder's XML processor is vulnerable to XML Extern...Show more Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder on Windows, Linux allows Server Side Request Forgery, Probe System Files. AppBuilder's XML processor is vulnerable to XML External Entity Processing (XXE), allowing an authenticated user to upload specially crafted XML files to induce server-side request forgery, disclose files local to the server that processes them. This issue affects AppBuilder: from 21.2 before 23.2. Show less
CVE-2024-22380 1Maff 1Electronic Delivery Check System Jun 5, 2025 Jan 24, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML...Show more Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.Show less
CVE-2024-21796 1Dfeg 1Electronic Deliverables Creation Support Tool Nov 21, 2024 Jan 24, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly restrict XML external entity...Show more Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.Show less
CVE-2024-21765 1Cals Ed 2Electronic Delivery Check System Electronic Delivery Item Inspection Support System Jun 20, 2025 Jan 24, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery...Show more Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.Show less
CVE-2024-23525 1Tozt 1Spreadsheet\ Jun 2, 2025 Jan 18, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig.
CVE-2023-45139 1Fonttools 1Fonttools Nov 21, 2024 Jan 10, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font...Show more fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.Show less
CVE-2023-6149 1Qualys 1Web Application Screening Nov 21, 2024 Jan 9, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services....Show more Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response dataShow less
CVE-2023-6147 1Qualys 1Policy Compliance Feb 13, 2025 Jan 9, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Clou...Show more Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response dataShow less
CVE-2023-26999 1Netscout 1Ngeniusone Jun 16, 2025 Jan 9, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file.
CVE-2023-52252 1Unifiedremote 1Unified Remote Nov 21, 2024 Dec 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint.
CVE-2023-46265 1Ivanti 1Avalanche Nov 21, 2024 Dec 19, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).
CVE-2023-6280 152north 1Wps Nov 21, 2024 Dec 19, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. This vulnerability allows the use of external entities in its WebProcessingService servlet for an att...Show more An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. This vulnerability allows the use of external entities in its WebProcessingService servlet for an attacker to retrieve files by making HTTP requests to the internal network.Show less
CVE-2023-6836 1Wso2 7Api Manager Api Manager AnalyticsApi Microgateway+4 more Nov 21, 2024 Dec 15, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
CVE-2023-6721 1Europeana 1Repox Nov 21, 2024 Dec 13, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An XEE vulnerability has been found in Repox, which allows a remote attacker to interfere with the application's XML data processing in the fileupload function, resulting in interaction between the attacker and the serve...Show more An XEE vulnerability has been found in Repox, which allows a remote attacker to interfere with the application's XML data processing in the fileupload function, resulting in interaction between the attacker and the server's file system.Show less
CVE-2023-6194 1Eclipse 1Memory Analyzer Nov 21, 2024 Dec 11, 2023 N/A· v4 7.1 HIGH· v3 N/A· v2 In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malic...Show more In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition. Show less

Previous 1...141516...63 Next