Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,249)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-23463 1H2database 1H2 Nov 21, 2024 Dec 10, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcRe...Show more The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.Show less
CVE-2021-44557 1Kb 1Multiner Nov 21, 2024 Dec 8, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 National Library of the Netherlands multiNER <= c0440948057afc6e3d6b4903a7c05e666b94a3bc is affected by an XML External Entity (XXE) vulnerability in multiNER/ner.py. Since XML parsing resolves external entities, a malic...Show more National Library of the Netherlands multiNER <= c0440948057afc6e3d6b4903a7c05e666b94a3bc is affected by an XML External Entity (XXE) vulnerability in multiNER/ner.py. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS.Show less
CVE-2021-44556 1Kb 1Digger Nov 21, 2024 Dec 8, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 National Library of the Netherlands digger < 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Since XML parsing resolves external entities, a malicious XML stream could l...Show more National Library of the Netherlands digger < 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS.Show less
CVE-2021-42776 1Cloverdx 1Cloverdx Nov 21, 2024 Dec 1, 2021 N/A· v4 7.7 HIGH· v3 6.8 MEDIUM· v2 CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import.
CVE-2021-44147 1Claris 2Filemaker Pro Filemaker Server Nov 21, 2024 Nov 22, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forger...Show more An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forgery attacks.Show less
CVE-2021-43577 1Jenkins 1Owasp Dependency Check Nov 21, 2024 Nov 12, 2021 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2021-43576 1Jenkins 1Pom2config Nov 21, 2024 Nov 12, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML...Show more Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.Show less
CVE-2021-21701 1Jenkins 1Performance Nov 21, 2024 Nov 12, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2021-36172 1Fortinet 1Fortiportal Nov 21, 2024 Nov 2, 2021 N/A· v4 8.1 HIGH· v3 6.4 MEDIUM· v2 An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to...Show more An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of service or read arbitrary files from the underlying file system by means of specifically crafted XML documents.Show less
CVE-2021-20839 1Antennahouse 1Office Server Document Converter Nov 21, 2024 Nov 1, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition to the oth...Show more Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition to the other servers by processing a specially crafted XML document.Show less
CVE-2021-20838 1Antennahouse 1Office Server Document Converter Nov 21, 2024 Nov 1, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition by process...Show more Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition by processing a specially crafted XML document.Show less
CVE-2020-26705 1Easyxml Project 1Easyxml Nov 21, 2024 Oct 31, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 The parseXML function in Easy-XML 0.5.0 was discovered to have a XML External Entity (XXE) vulnerability which allows for an attacker to expose sensitive data or perform a denial of service (DOS) via a crafted external e...Show more The parseXML function in Easy-XML 0.5.0 was discovered to have a XML External Entity (XXE) vulnerability which allows for an attacker to expose sensitive data or perform a denial of service (DOS) via a crafted external entity entered into the XML content as input.Show less
CVE-2020-25912 1Getsymphony 1Symphony Nov 21, 2024 Oct 31, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 A XML External Entity (XXE) vulnerability was discovered in symphony\lib\toolkit\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS).
CVE-2020-25911 1Modx 1Modx Revolution Nov 21, 2024 Oct 31, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS).
CVE-2021-3869 1Stanford 1Corenlp Nov 21, 2024 Oct 19, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 corenlp is vulnerable to Improper Restriction of XML External Entity Reference
CVE-2021-3878 1Stanford 1Corenlp Sep 8, 2025 Oct 15, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 corenlp is vulnerable to Improper Restriction of XML External Entity Reference
CVE-2020-19954 1S Cms 1S Cms Nov 21, 2024 Oct 14, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files.
CVE-2021-20801 1Cybozu 1Remote Service Manager Nov 21, 2024 Oct 13, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. This issue occurs only wh...Show more Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. This issue occurs only when using Mozilla Firefox.Show less
CVE-2021-35496 1Tibco 1Jasperreports Server Nov 21, 2024 Oct 12, 2021 N/A· v4 7.5 HIGH· v3 6.0 MEDIUM· v2 The XMLA Connections component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBC...Show more The XMLA Connections component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains a difficult to exploit vulnerability that allows a low privileged attacker with network access to interfere with XML processing in the affected component. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.2.1 and below, TIBCO JasperReports Server: versions 7.5.0 and 7.5.1, TIBCO JasperReports Server: version 7.8.0, TIBCO JasperReports Server: version 7.9.0, TIBCO JasperReports Server - Community Edition: versions 7.8.0 and below, TIBCO JasperReports Server - Developer Edition: versions 7.9.0 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.9.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.9.0 and below, and TIBCO JasperReports Server for Microsoft Azure: version 7.8.0.Show less
CVE-2021-40500 1Sap 1Businessobjects Business Intelligence Platform Nov 21, 2024 Oct 12, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are nor...Show more SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can enable the attacker to retrieve arbitrary files from the server.Show less

Previous 1...282930...63 Next