Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,249)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-43990 1Fanuc 1Roboguide Nov 21, 2024 Apr 20, 2022 N/A· v4 5.3 MEDIUM· v3 2.6 LOW· v2 The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call.
CVE-2022-0221 1Schneider Electric 1Scadapack Workbench Nov 21, 2024 Apr 13, 2022 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. T...Show more A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior)Show less
CVE-2022-28219 1Zohocorp 1Manageengine Adaudit Plus Nov 21, 2024 Apr 5, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.
CVE-2022-1018 1Rockwellautomation 3Connected Components Workbench IsagrafSafety Instrumented Systems Workstation Nov 21, 2024 Apr 1, 2022 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this t...Show more When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality.Show less
CVE-2021-43142 1Jox Project 1Jox Nov 21, 2024 Mar 30, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput.
CVE-2021-33208 1Softwareag 1Mashzone Nextgen Nov 21, 2024 Mar 30, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file.
CVE-2022-28155 1Jenkins 1Pipeline\ Nov 21, 2024 Mar 29, 2022 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-28154 1Jenkins 1Coverage/complexity Scatter Plot Nov 21, 2024 Mar 29, 2022 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-28140 1Jenkins 1Flaky Test Handler Nov 21, 2024 Mar 29, 2022 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2021-44477 1Ge 1Toolboxst Nov 21, 2024 Mar 25, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected...Show more GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file.Show less
CVE-2021-43090 1Predic8 1Soa Model Nov 21, 2024 Mar 25, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An XML External Entity (XXE) vulnerability exists in soa-model before 1.6.4 in the WSDLParser function.
CVE-2022-0861 1Mcafee 1Epolicy Orchestrator Nov 21, 2024 Mar 23, 2022 N/A· v4 3.8 LOW· v3 5.5 MEDIUM· v2 A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension import functionality...Show more A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension import functionality. The impact is limited to some access to confidential information and some ability to alter data.Show less
CVE-2021-42194 1Eyoucms 1Eyoucms Nov 21, 2024 Mar 20, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XM...Show more The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (XXE) injection vulnerability.Show less
CVE-2022-27193 1Cvrf Csaf Converter Project 1Cvrf Csaf Converter Nov 21, 2024 Mar 15, 2022 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose inform...Show more CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.Show less
CVE-2022-26661 2Debian Tryton 3Debian Linux ProteusTrytond Nov 21, 2024 Mar 10, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5...Show more An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.Show less
CVE-2022-22835 1Overit 1Geocall Nov 21, 2024 Mar 10, 2022 N/A· v4 6.5 MEDIUM· v3 3.5 LOW· v2 An issue was discovered in OverIT Geocall before version 8.0. An authenticated user who has the Test Trasformazione XSL functionality enabled can exploit a XXE vulnerability to read arbitrary files from the filesystem.
CVE-2022-22795 1Signiant 1Manager+agents Nov 21, 2024 Mar 10, 2022 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and nt/authority on window...Show more Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and nt/authority on windows systems, which allows him to access and extract any file on the systems, such as passwd, shadow, hosts and so on. By gaining access to these files, attackers can steal sensitive information from the victims machine.Show less
CVE-2022-25312 1Apache 1Any23 Nov 21, 2024 Mar 5, 2022 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web secur...Show more An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Any23 2.7.Show less
CVE-2022-0839 2Liquibase Oracle 2Liquibase Sqlcl Nov 3, 2025 Mar 4, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.
CVE-2022-0265 1Hazelcast 1Hazelcast Nov 21, 2024 Mar 3, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1.

Previous 1...262728...63 Next