Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,249)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-27527 1Touki Kyoutaku Online 1Shinseiyo Sogo Soft Jan 28, 2025 May 10, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Shinseiyo Sogo Soft (7.9A) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker.
CVE-2022-45876 1Visam 1Vbase Jan 17, 2025 Apr 26, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
CVE-2023-29443 1Zohocorp 4Manageengine Assetexplorer Manageengine Servicedesk PlusManageengine Servicedesk Plus Msp+1 more Feb 3, 2025 Apr 26, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that...Show more Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.Show less
CVE-2023-28009 1Hcltech 1Workload Automation Nov 21, 2024 Apr 26, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resour...Show more HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. Show less
CVE-2023-28008 1Hcltech 1Workload Automation Nov 21, 2024 Apr 26, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or c...Show more HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. Show less
CVE-2023-26058 1Nokia 1Netact Feb 4, 2025 Apr 25, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very dif...Show more An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.Show less
CVE-2023-26057 1Nokia 1Netact Feb 4, 2025 Apr 25, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is ve...Show more An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.Show less
CVE-2023-27652 1Egostudiogroup 1Super Clean Feb 5, 2025 Apr 20, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges cause a denial of service via the update_info field of the _default_.xml file.
CVE-2022-38840 1Guralp 1Man Eam 0003 Feb 6, 2025 Apr 16, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.
CVE-2023-26264 1Talend 1Data Catalog Feb 7, 2025 Apr 13, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code.
CVE-2023-26263 1Talend 1Data Catalog Feb 7, 2025 Apr 13, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server.
CVE-2023-28828 1Siemens 1Polarion Alm Nov 21, 2024 Apr 11, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A vulnerability has been identified in Polarion ALM (All versions < V22R2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application serv...Show more A vulnerability has been identified in Polarion ALM (All versions < V22R2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.Show less
CVE-2023-25955 1Mlit 1National Land Numerical Information Data Conversion Tool Feb 10, 2025 Apr 11, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 National land numerical information data conversion tool all versions improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an...Show more National land numerical information data conversion tool all versions improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker.Show less
CVE-2023-28340 1Zohocorp 1Manageengine Applications Manager Feb 10, 2025 Apr 11, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.
CVE-2023-27876 1Ibm 1Tririga Application Platform Nov 21, 2024 Apr 7, 2023 N/A· v4 7.1 HIGH· v3 N/A· v2 IBM TRIRIGA 4.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IB...Show more IBM TRIRIGA 4.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249975.Show less
CVE-2023-20030 1Cisco 1Identity Services Engine Nov 21, 2024 Apr 5, 2023 N/A· v4 6.0 MEDIUM· v3 N/A· v2 A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) at...Show more A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of confidential information. A successful exploit could also cause the web application to perform arbitrary HTTP requests on behalf of the attacker or consume memory resources to reduce the availability of the web-based management interface. To successfully exploit this vulnerability, an attacker would need valid Super Admin or Policy Admin credentials.Show less
CVE-2022-43941 1Hitachi 1Vantara Pentaho Business Analytics Server Nov 21, 2024 Apr 3, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML Extern...Show more Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference. Show less
CVE-2023-28684 1Jenkins 1Remote Jobs View Feb 20, 2025 Apr 2, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-28683 1Jenkins 1Phabricator Differential Feb 21, 2025 Apr 2, 2023 N/A· v4 8.2 HIGH· v3 N/A· v2 Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2023-28682 1Jenkins 1Performance Publisher Feb 25, 2025 Apr 2, 2023 N/A· v4 8.2 HIGH· v3 N/A· v2 Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Previous 1...181920...63 Next