Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,249)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-2458 1Redhat 1Process Automation Manager Nov 21, 2024 Aug 10, 2022 N/A· v4 8.2 HIGH· v3 N/A· v2 XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is p...Show more XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction & Internal file read in Business Central and also Kie-Server APIs.Show less
CVE-2022-1704 1Inductiveautomation 1Ignition Nov 21, 2024 Aug 5, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup.
CVE-2022-31775 1Ibm 1Datapower Gateway Nov 21, 2024 Aug 1, 2022 N/A· v4 9.1 CRITICAL· v3 N/A· v2 IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote a...Show more IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359.Show less
CVE-2022-2414 1Dogtagpki 1Dogtagpki Nov 21, 2024 Jul 29, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted...Show more Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.Show less
CVE-2022-27873 1Autodesk 1Fusion 360 Nov 21, 2024 Jul 29, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 An attacker can force the victim’s device to perform arbitrary HTTP requests in WAN through a malicious SVG file being parsed by Autodesk Fusion 360’s document parser. The vulnerability exists in the application’s ‘Inser...Show more An attacker can force the victim’s device to perform arbitrary HTTP requests in WAN through a malicious SVG file being parsed by Autodesk Fusion 360’s document parser. The vulnerability exists in the application’s ‘Insert SVG’ procedure. An attacker can also leverage this vulnerability to obtain victim’s public IP and possibly other sensitive information.Show less
CVE-2021-42537 1Visam 1Vbase Web Remote Apr 17, 2025 Jul 27, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 VISAM VBASE version 11.6.0.6 processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into it...Show more VISAM VBASE version 11.6.0.6 processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Show less
CVE-2022-31471 1Untangle Project 1Untangle Nov 21, 2024 Jul 26, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated atta...Show more untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files.Show less
CVE-2022-2131 1Openkm 1Openkm Nov 21, 2024 Jul 25, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection atta...Show more OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection attack.Show less
CVE-2022-32458 1Digiwin 1Business Process Management Nov 21, 2024 Jul 20, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.
CVE-2022-34001 1Unit4 1Enterprise Resource Planning Nov 21, 2024 Jul 19, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously.
CVE-2022-22358 1Ibm 2Partner Engagement Manager Partner Engagement Manager On Cloud/saas Nov 21, 2024 Jul 19, 2022 N/A· v4 7.1 HIGH· v3 N/A· v2 IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expos...Show more IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 220651.Show less
CVE-2015-8031 1Eclipse 1Hudson Nov 21, 2024 Jul 18, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Hudson (aka org.jvnet.hudson.main:hudson-core) before 3.3.2 allows XXE attacks.
CVE-2022-35741 1Apache 1Cloudstack Nov 21, 2024 Jul 18, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attack...Show more Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.Show less
CVE-2022-35168 1Sap 1Business One Nov 21, 2024 Jul 12, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative.
CVE-2021-41042 1Eclipse 1Lyo Nov 21, 2024 Jul 7, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
CVE-2022-34793 1Jenkins 1Recipe Nov 21, 2024 Jun 30, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-23170 1Sysaid 1Okta Sso Nov 21, 2024 Jun 24, 2022 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploi...Show more SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.Show less
CVE-2021-40510 1Obdasystems 1Mastro Nov 21, 2024 Jun 21, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 XML eXternal Entity (XXE) in OBDA systems’ Mastro 1.0 allows remote attackers to read system files via custom DTDs.
CVE-2021-45024 1Rocketsoftware 1Ags Zena Nov 21, 2024 Jun 17, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE).
CVE-2021-41411 1Redhat 1Drools Nov 21, 2024 Jun 16, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.

Previous 1...242526...63 Next