Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,249)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-23640 1Excel Streaming Reader Project 1Excel Streaming Reader Nov 21, 2024 Mar 2, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity...Show more Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround.Show less
CVE-2022-24340 1Jetbrains 1Teamcity Nov 21, 2024 Feb 25, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible.
CVE-2020-14478 1Rockwellautomation 1Factorytalk Services Platform Apr 17, 2025 Feb 24, 2022 N/A· v4 7.1 HIGH· v3 5.6 MEDIUM· v2 A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service con...Show more A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services.Show less
CVE-2022-25209 1Jenkins 1Chef Sinatra Nov 21, 2024 Feb 15, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2021-46365 1Magnolia Cms 1Magnolia Cms Nov 21, 2024 Feb 11, 2022 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute XML External Entity attacks via a crafted XLF file.
CVE-2022-21220 1Intel 1Quartus Prime May 5, 2025 Feb 9, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper restriction of XML external entity for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-21205 1Intel 1Quartus Prime May 5, 2025 Feb 9, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Improper restriction of XML external entity reference in DSP Builder Pro for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an unauthenticated user to potentially enable information disclosure via ne...Show more Improper restriction of XML external entity reference in DSP Builder Pro for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an unauthenticated user to potentially enable information disclosure via network access.Show less
CVE-2021-46660 1Signiant 1Manager+agents Nov 21, 2024 Jan 30, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.
CVE-2022-23031 1F5 3Big Ip Advanced Web Application Firewall Big Ip Application Security ManagerBig Ip Fraud Protection Service Nov 21, 2024 Jan 25, 2022 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Applic...Show more On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.Show less
CVE-2020-4876 1Ibm 1Cognos Controller Nov 21, 2024 Jan 21, 2022 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information...Show more IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190839.Show less
CVE-2020-4875 1Ibm 1Cognos Controller Nov 21, 2024 Jan 21, 2022 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information...Show more IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190838.Show less
CVE-2022-0219 1Jadx Project 1Jadx Nov 21, 2024 Jan 20, 2022 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2.
CVE-2022-21282 3Debian NetappOracle 197 Mode Transition Tool Active Iq Unified ManagerCloud Insights Acquisition Unit+16 more May 27, 2026 Jan 19, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM E...Show more Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).Show less
CVE-2022-0239 1Stanford 1Corenlp Apr 16, 2026 Jan 17, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 corenlp is vulnerable to Improper Restriction of XML External Entity Reference
CVE-2021-40722 1Adobe 2Experience Manager Experience Manager Cloud Service Nov 21, 2024 Jan 13, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE.
CVE-2022-0198 1Stanford 1Corenlp Nov 21, 2024 Jan 13, 2022 N/A· v4 7.1 HIGH· v3 5.8 MEDIUM· v2 corenlp is vulnerable to Improper Restriction of XML External Entity Reference
CVE-2021-42560 1Mitre 1Caldera Nov 21, 2024 Jan 12, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attack...Show more An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.).Show less
CVE-2021-44028 1Quest 1Kace Desktop Authority Nov 21, 2024 Dec 22, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 XXE can occur in Quest KACE Desktop Authority before 11.2 because the log4net configuration file might be controlled by an attacker, a related issue to CVE-2018-1285.
CVE-2021-45096 1Knime 1Knime Analytics Platform Nov 21, 2024 Dec 16, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730.
CVE-2021-3836 1Dbeaver 1Dbeaver Nov 21, 2024 Dec 14, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 dbeaver is vulnerable to Improper Restriction of XML External Entity Reference

Previous 1...272829...63 Next