Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,249)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-25165 1Arubanetworks 1Airwave Nov 21, 2024 Apr 28, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerabi...Show more A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.Show less
CVE-2021-25164 1Arubanetworks 1Airwave Nov 21, 2024 Apr 28, 2021 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerabi...Show more A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.Show less
CVE-2020-7036 1Avaya 1Callback Assist Nov 21, 2024 Apr 23, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assi...Show more An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7.Show less
CVE-2020-7035 1Avaya 1Aura Orchestration Designer Nov 21, 2024 Apr 23, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An XML External Entities (XXE)vulnerability in the web-based user interface of Avaya Aura Orchestration Designer could allow an authenticated, remote attacker to gain read access to information that is stored on an affec...Show more An XML External Entities (XXE)vulnerability in the web-based user interface of Avaya Aura Orchestration Designer could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Orchestration Designer includes all 7.x versions before 7.2.3.Show less
CVE-2021-27736 1Fusionauth 1Saml V2 Nov 21, 2024 Apr 22, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.
CVE-2021-21642 1Jenkins 1Config File Provider Nov 21, 2024 Apr 21, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2021-20454 1Ibm 1Websphere Application Server Nov 21, 2024 Apr 21, 2021 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive infor...Show more IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196649.Show less
CVE-2021-20453 1Ibm 1Websphere Application Server Nov 21, 2024 Apr 20, 2021 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive informatio...Show more IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196648.Show less
CVE-2021-29447 2Debian Wordpress 2Debian Linux Wordpress Nov 21, 2024 Apr 15, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP...Show more Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.Show less
CVE-2021-27604 1Sap 1Netweaver Process Integration Nov 21, 2024 Apr 14, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP...Show more In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note.Show less
CVE-2021-28973 1Perforce 1Helix Alm Nov 21, 2024 Apr 13, 2021 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.
CVE-2020-6590 1Forcepoint 3Data Loss Prevention Email SecurityWeb Security Content Gateway Nov 21, 2024 Apr 8, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Forcepoint Web Security Content Gateway versions prior to 8.5.4 improperly process XML input, leading to information disclosure.
CVE-2021-22158 1Proofpoint 1Insider Threat Management Nov 21, 2024 Apr 6, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. The vulnerability requires admin user privileges and knowledge of the X...Show more The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. The vulnerability requires admin user privileges and knowledge of the XML file's encryption key to successfully exploit. All versions before 7.11 are affected.Show less
CVE-2021-29421 2Fedoraproject Pikepdf Project 2Fedora Pikepdf Nov 21, 2024 Apr 1, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.
CVE-2021-20502 1Ibm 6Engineering Insights Engineering Lifecycle ManagementEngineering Requirements Quality Assistant On Premises+3 more Nov 21, 2024 Mar 30, 2021 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory...Show more IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 198059.Show less
CVE-2021-20482 1Ibm 1Cloud Pak For Automation Nov 21, 2024 Mar 30, 2021 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Cloud Pak for Automation 20.0.2 and 20.0.3 IF002 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive inform...Show more IBM Cloud Pak for Automation 20.0.2 and 20.0.3 IF002 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197504.Show less
CVE-2021-1628 1Salesforce 1Mule Nov 21, 2024 Mar 26, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4.x runtime released b...Show more MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4.x runtime released before February 2, 2021.Show less
CVE-2021-28110 1Compassplus 1Tranzware E Commerce Payment Gateway Nov 21, 2024 Mar 19, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 /exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser.
CVE-2020-28387 1Siemens 1Solid Edge Nov 21, 2024 Mar 15, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP13), Solid Edge SE2021 (All Versions < SE2021MP3). When opening a specially crafted SEECTCXML file, the application could disclose arbitrar...Show more A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP13), Solid Edge SE2021 (All Versions < SE2021MP3). When opening a specially crafted SEECTCXML file, the application could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external dtd. (ZDI-CAN-11923)Show less
CVE-2021-26969 1Arubanetworks 1Airwave Nov 21, 2024 Mar 5, 2021 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Due to improper restrictions on XML entities a vulnerability...Show more A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Due to improper restrictions on XML entities a vulnerability exists in the web-based management interface of AirWave. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition.Show less

Previous 1...323334...63 Next