Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,249)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-49733 1Apache 1Cocoon Feb 13, 2025 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.
CVE-2023-49656 1Jenkins 1Matlab Nov 21, 2024 Nov 29, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-22274 1Adobe 1Robohelp Server Nov 21, 2024 Nov 17, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to information disclosure by an unauthenticated attacker. Exp...Show more Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to information disclosure by an unauthenticated attacker. Exploitation of this issue does not require user interaction.Show less
CVE-2023-46590 1Siemens 1Siemens Opc Ua Modeling Editor Nov 21, 2024 Nov 14, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A vulnerability has been identified in Siemens OPC UA Modelling Editor (SiOME) (All versions < V2.8). Affected products suffer from a XML external entity (XXE) injection vulnerability. This vulnerability could allow an a...Show more A vulnerability has been identified in Siemens OPC UA Modelling Editor (SiOME) (All versions < V2.8). Affected products suffer from a XML external entity (XXE) injection vulnerability. This vulnerability could allow an attacker to interfere with an application's processing of XML data and read arbitrary files in the system.Show less
CVE-2023-4218 1Eclipse 3Eclipse Ide Org.eclipse.core.runtimePde Nov 21, 2024 Nov 9, 2023 N/A· v4 5.0 MEDIUM· v3 N/A· v2 In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (...Show more In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch). Show less
CVE-2023-5136 1Ni 4Diadem FlexloggerTopografix Data Plugin+1 more Nov 21, 2024 Nov 8, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An incorrect permission assignment in the TopoGrafix DataPlugin for GPX could result in information disclosure. An attacker could exploit this vulnerability by getting a user to open a specially crafted data file.
CVE-2023-46802 1Nta 1E Tax Nov 21, 2024 Nov 6, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 e-Tax software Version3.0.10 and earlier improperly restricts XML external entity references (XXE) due to the configuration of the embedded XML parser. By processing a specially crafted XML file, arbitrary files on the s...Show more e-Tax software Version3.0.10 and earlier improperly restricts XML external entity references (XXE) due to the configuration of the embedded XML parser. By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.Show less
CVE-2023-46502 1Opencrx 1Opencrx Nov 21, 2024 Oct 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.
CVE-2022-34832 1Vermeg 1Agile Reporter Nov 21, 2024 Oct 27, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.
CVE-2023-43067 1Dell 3Unity Operating Environment Unity Xt Operating EnvironmentUnityvsa Operating Environment Nov 21, 2024 Oct 23, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. An XXE attack could potentially exploit this vulnerability disclosing local files in the file system.
CVE-2023-43624 1Omrom 1Cx Designer Nov 21, 2024 Oct 23, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by...Show more CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed.Show less
CVE-2023-45727 1Northgrid 1Proself Oct 24, 2025 Oct 18, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External...Show more Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker.Show less
CVE-2022-32755 1Ibm 3Security Directory Server Security Directory SuiteSecurity Verify Directory Nov 21, 2024 Oct 14, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 IBM Security Directory Server 6.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume m...Show more IBM Security Directory Server 6.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228505.Show less
CVE-2023-36419 1Microsoft 2Azure Hdinsight Azure Hdinsights Feb 11, 2026 Oct 10, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability
CVE-2023-41365 1Sap 1Business One Nov 21, 2024 Oct 10, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. After successful expl...Show more SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. After successful exploitation, an attacker can cause limited impact on the confidentiality and no impact to the integrity and availability.Show less
CVE-2023-45612 1Jetbrains 1Ktor Nov 21, 2024 Oct 9, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE
CVE-2023-42445 1Gradle 1Gradle Apr 11, 2025 Oct 6, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Ba...Show more Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities.Show less
CVE-2023-42132 1Mhlw 1Fd Application Nov 21, 2024 Oct 2, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 FD Application Apr. 2022 Edition (Version 9.01) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.
CVE-2022-4245 2Codehaus Plexus Redhat 2Integration Camel K Plexus Utils Nov 21, 2024 Sep 25, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpre...Show more A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.Show less
CVE-2023-38343 1Ivanti 1Endpoint Manager Nov 21, 2024 Sep 21, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this v...Show more An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.Show less

Previous 1...151617...63 Next