Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,249)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-32635 1Edinet Fsa 1Xbrl Data Create Nov 21, 2024 Jul 19, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 XBRL data create application version 7.0 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XBRL file, arbitrary files on the system may be read by an attacker.
CVE-2023-20918 1Google 1Android Nov 21, 2024 Jul 13, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for exploitation....Show more In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for exploitation. Show less
CVE-2023-37942 1Jenkins 1External Monitor Job Type Nov 21, 2024 Jul 12, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-37200 1Se 1Ecostruxure Opc Ua Server Expert Nov 21, 2024 Jul 12, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server...Show more A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server. Show less
CVE-2023-35786 1Zohocorp 1Manageengine Admanager Plus Nov 21, 2024 Jul 5, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.
CVE-2020-26710 1Easy Parse Project 1Easy Parse Nov 21, 2024 Jun 29, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 easy-parse v0.1.1 was discovered to contain a XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.
CVE-2020-26709 1Py Xml Project 1Py Xml Nov 21, 2024 Jun 29, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 py-xml v1.0 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.
CVE-2020-26708 1Requests Xml Project 1Requests Xml Nov 21, 2024 Jun 29, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 requests-xml v0.2.3 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.
CVE-2023-3113 1Lenovo 1Xclarity Administrator Nov 21, 2024 Jun 26, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files.
CVE-2023-3276 1Dromara 1Hutool Nov 21, 2024 Jun 15, 2023 N/A· v4 7.5 HIGH· v3 5.2 MEDIUM· v2 A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The mani...Show more A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The exploit has been disclosed to the public and may be used. VDB-231626 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-24470 1Microfocus 1Arcsight Logger Jan 6, 2025 Jun 13, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0.
CVE-2023-29498 1Fujielectric 1Frenic Rhc Loader Jan 3, 2025 Jun 13, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. If a user opens a specially crafted project file, sensitive information on the system where the...Show more Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. If a user opens a specially crafted project file, sensitive information on the system where the affected product is installed may be disclosed.Show less
CVE-2023-34411 1Xml Library Project 1Xml Library Jan 8, 2025 Jun 5, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9.
CVE-2023-32706 1Splunk 2Splunk Splunk Cloud Platform Nov 21, 2024 Jun 1, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemo...Show more On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon.Show less
CVE-2022-41221 1Opentext 1Archive Center Administration Jan 17, 2025 May 24, 2023 N/A· v4 7.1 HIGH· v3 N/A· v2 The client in OpenText Archive Center Administration through 21.2 allows XXE attacks. Authenticated users of the OpenText Archive Center Administration client (Versions 16.2.3, 21.2, and older versions) could upload XML...Show more The client in OpenText Archive Center Administration through 21.2 allows XXE attacks. Authenticated users of the OpenText Archive Center Administration client (Versions 16.2.3, 21.2, and older versions) could upload XML files to the application that it did not sufficiently validate. As a result, attackers could craft XML files that, when processed by the application, would cause a negative security impact such as data exfiltration or localized denial of service against the application instance and system of the user running it.Show less
CVE-2023-2806 1Weaver 1E Cology Nov 21, 2024 May 19, 2023 N/A· v4 8.8 HIGH· v3 5.2 MEDIUM· v2 A vulnerability classified as problematic was found in Weaver e-cology up to 9.0. Affected by this vulnerability is the function RequestInfoByXml of the component API. The manipulation leads to xml external entity refere...Show more A vulnerability classified as problematic was found in Weaver e-cology up to 9.0. Affected by this vulnerability is the function RequestInfoByXml of the component API. The manipulation leads to xml external entity reference. The associated identifier of this vulnerability is VDB-229411. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-20174 1Cisco 1Identity Services Engine Nov 21, 2024 May 18, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF)...Show more Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2023-20173 1Cisco 1Identity Services Engine Nov 21, 2024 May 18, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF)...Show more Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2023-2161 1Schneider Electric 1Opc Factory Server Nov 21, 2024 May 16, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a lo...Show more A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. Show less
CVE-2023-27554 1Ibm 1Websphere Application Server Jan 24, 2025 May 11, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or...Show more IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249185. Show less

Previous 1...171819...63 Next