Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,249)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-42341 1Adobe 1Coldfusion Nov 21, 2024 Oct 14, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read....Show more Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.Show less
CVE-2022-38419 1Adobe 1Coldfusion Nov 21, 2024 Oct 14, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read....Show more Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.Show less
CVE-2022-42307 1Veritas 1Netbackup Nov 21, 2024 Oct 3, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service...Show more An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.Show less
CVE-2022-42301 1Veritas 1Netbackup Nov 21, 2024 Oct 3, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) injection attack through the nbars process.
CVE-2022-34348 1Ibm 1Sterling Partner Engagement Manager May 22, 2025 Sep 23, 2022 N/A· v4 7.1 HIGH· v3 N/A· v2 IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or c...Show more IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017.Show less
CVE-2022-40705 1Apache 1Soap Nov 21, 2024 Sep 22, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later version...Show more An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainerShow less
CVE-2022-41241 1Jenkins 1Rqm May 28, 2025 Sep 21, 2022 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-41226 1Jenkins 1Compuware Common Configuration May 28, 2025 Sep 21, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-38342 1Safe 1Fme Server Nov 21, 2024 Sep 13, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forge...Show more Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks.Show less
CVE-2022-1700 1Forcepoint 5Cloud Security Gateway Data Loss PreventionEmail Security+2 more Nov 21, 2024 Sep 12, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Ga...Show more Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security with DLP enabled, and Cloud Security Gateway prior to June 20, 2022. The XML parser in the Policy Engine was found to be improperly configured to support external entities and external DTD (Document Type Definitions), which can lead to an XXE attack. This issue affects: Forcepoint Data Loss Prevention (DLP) versions prior to 8.8.2. Forcepoint One Endpoint (F1E) with Policy Engine versions prior to 8.8.2. Forcepoint Web Security Content Gateway versions prior to 8.5.5. Forcepoint Email Security with DLP enabled versions prior to 8.5.5. Forcepoint Cloud Security Gateway prior to June 20, 2022.Show less
CVE-2022-39135 1Apache 1Calcite Nov 21, 2024 Sep 11, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XM...Show more Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.Show less
CVE-2022-37189 1Ddmal 1Mei2volpiano Nov 21, 2024 Sep 7, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe 'xml.etree' library to parse untrusted XML input.
CVE-2022-36773 2Ibm Netapp 2Cognos Analytics Oncommand Insight Nov 21, 2024 Sep 1, 2022 N/A· v4 8.1 HIGH· v3 N/A· v2 IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information...Show more IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233571.Show less
CVE-2022-2759 1Deltaww 1Delta Robot Automation Studio Nov 21, 2024 Aug 31, 2022 N/A· v4 8.6 HIGH· v3 N/A· v2 Delta Electronics Delta Robot Automation Studio (DRAS) versions prior to 1.13.20 are affected by improper restrictions where the software processes an XML document that can contain XML entities with URIs that resolve to...Show more Delta Electronics Delta Robot Automation Studio (DRAS) versions prior to 1.13.20 are affected by improper restrictions where the software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. This may allow an attacker to view sensitive documents and information on the affected host.Show less
CVE-2022-2330 1Mcafee 1Data Loss Prevention Endpoint Nov 21, 2024 Aug 30, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn't usual...Show more Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn't usually have access to via a carefully constructed XML file, which the DLP Agent doesn't parse correctly.Show less
CVE-2022-0217 1Prosody 1Prosody Nov 21, 2024 Aug 26, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursi...Show more It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).Show less
CVE-2022-22489 1Ibm 1Mq Nov 21, 2024 Aug 19, 2022 N/A· v4 9.1 CRITICAL· v3 N/A· v2 IBM MQ 8.0, (9.0, 9.1, 9.2 LTS), and (9.1 and 9.2 CD) are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive infor...Show more IBM MQ 8.0, (9.0, 9.1, 9.2 LTS), and (9.1 and 9.2 CD) are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226339.Show less
CVE-2020-14379 1Redhat 1Jboss A Mq Nov 21, 2024 Aug 16, 2022 N/A· v4 5.6 MEDIUM· v3 N/A· v2 A flaw was found in Red Hat AMQ Broker in a way that a XEE attack can be done via Broker's configuration files, leading to denial of service and information disclosure.
CVE-2022-2838 1Eclipse 1Sphinx Nov 21, 2024 Aug 16, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files...Show more In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.Show less
CVE-2020-21641 1Zohocorp 1Manageengine Analytics Plus Nov 21, 2024 Aug 15, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license...Show more Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file.Show less

Previous 1...232425...63 Next