Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,249)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-46827 1Jetbrains 1Intellij Idea Nov 21, 2024 Dec 8, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible.
CVE-2022-45326 1Kwoksys 1Information Server Apr 23, 2025 Dec 6, 2022 N/A· v4 4.9 MEDIUM· v3 N/A· v2 An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.
CVE-2022-40771 1Zohocorp 4Manageengine Assetexplorer Manageengine Servicedesk PlusManageengine Servicedesk Plus Msp+1 more Apr 28, 2025 Nov 23, 2022 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.
CVE-2022-3980 1Sophos 1Mobile Apr 29, 2025 Nov 16, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
CVE-2022-20938 1Cisco 1Secure Firewall Management Center Nov 26, 2024 Nov 15, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A vulnerability in the module import function of the administrative interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view sensitive information. This vulne...Show more A vulnerability in the module import function of the administrative interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view sensitive information. This vulnerability is due to insufficient validation of the XML syntax when importing a module. An attacker could exploit this vulnerability by supplying a specially crafted XML file to the function. A successful exploit could allow the attacker to read sensitive data that would normally not be revealed.Show less
CVE-2022-45400 1Jenkins 1Japex Apr 30, 2025 Nov 15, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-45397 1Jenkins 1Osf Builder Suite \ Apr 30, 2025 Nov 15, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-45396 1Jenkins 1Sourcemonitor Apr 30, 2025 Nov 15, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-45395 1Jenkins 1Cccc Apr 30, 2025 Nov 15, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-45386 1Jenkins 1Violations Apr 30, 2025 Nov 15, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-43689 1Concretecms 1Concrete Cms Apr 30, 2025 Nov 14, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.
CVE-2022-45194 1Bruhn Newtech 1Cbrn Analysis May 1, 2025 Nov 12, 2022 N/A· v4 4.7 MEDIUM· v3 N/A· v2 CBRN-Analysis before 22 allows XXE attacks via am mws XML document, leading to NTLMv2-SSP hash disclosure.
CVE-2022-43570 1Splunk 2Splunk Splunk Cloud Platform Nov 21, 2024 Nov 4, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web t...Show more In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error. Show less
CVE-2022-3340 1Trellix 1Intrusion Prevention System Manager Nov 21, 2024 Nov 4, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 XML External Entity (XXE) vulnerability in Trellix IPS Manager prior to 10.1 M8 allows a remote authenticated administrator to perform XXE attack in the administrator interface part of the interface, which allows a saved...Show more XML External Entity (XXE) vulnerability in Trellix IPS Manager prior to 10.1 M8 allows a remote authenticated administrator to perform XXE attack in the administrator interface part of the interface, which allows a saved XML configuration file to be imported.Show less
CVE-2022-42745 1Auieosoftware 1Candidats Nov 21, 2024 Nov 3, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.
CVE-2022-40747 1Ibm 1Infosphere Information Server May 5, 2025 Nov 3, 2022 N/A· v4 9.1 CRITICAL· v3 N/A· v2 "IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consu...Show more "IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584."Show less
CVE-2022-31678 1Vmware 2Cloud Foundation Nsx Data Center May 8, 2025 Oct 28, 2022 N/A· v4 9.1 CRITICAL· v3 N/A· v2 VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unint...Show more VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure.Show less
CVE-2022-43430 1Jenkins 1Compuware Topaz For Total Test May 8, 2025 Oct 19, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-43415 1Jenkins 1Repo May 9, 2025 Oct 19, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-3338 1Mcafee 1Epolicy Orchestrator Nov 21, 2024 Oct 18, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the...Show more An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the Agent Handler call to ePO and passing the carefully constructed XML file through the API.Show less

Previous 1...222324...63 Next