Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-17408 1Nec 1Expresscluster X Nov 21, 2024 Sep 10, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 4.1. Authentication is not required to exploit this vulnerability. The specific flaw exists wit...Show more This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 4.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the clpwebmc executable. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-10801.Show less
CVE-2020-24379 3Canonical DebianYaws 3Debian Linux Ubuntu LinuxYaws Nov 21, 2024 Sep 9, 2020 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.
CVE-2020-2247 1Jenkins 1Klocwork Analysis Nov 21, 2024 Sep 1, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Jenkins Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2245 1Jenkins 1Valgrind Nov 21, 2024 Sep 1, 2020 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-25020 2Mpxj Oracle 2Mpxj Primavera Unifier May 5, 2025 Aug 29, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.
CVE-2020-17376 1Openstack 1Nova Nov 21, 2024 Aug 26, 2020 N/A· v4 8.3 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration,...Show more An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that share the same paths as host devices previously referenced by the virtual machine on the source host. This can include block devices that map to different Cinder volumes at the destination than at the source. Only deployments allowing host-based connections (for instance, root and ephemeral devices) are affected.Show less
CVE-2020-24656 1Maltego 1Maltego Nov 21, 2024 Aug 26, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Maltego before 4.2.12 allows XXE attacks.
CVE-2020-24591 1Wso2 5Api Manager Api Manager AnalyticsApi Microgateway+2 more Nov 21, 2024 Aug 21, 2020 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrato...Show more The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.Show less
CVE-2020-24589 1Wso2 2Api Manager Api Microgateway Nov 21, 2024 Aug 21, 2020 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.
CVE-2020-24052 1Moog 2Exvf5c 2 Firmware Exvp7c2 3 Firmware Nov 21, 2024 Aug 21, 2020 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition (DTD) in an XML requ...Show more Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition (DTD) in an XML request.Show less
CVE-2020-4481 1Ibm 1Urbancode Deploy Nov 21, 2024 Aug 5, 2020 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sens...Show more IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.Show less
CVE-2020-4377 1Ibm 1Cognos Analytics Nov 21, 2024 Aug 3, 2020 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume mem...Show more IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.Show less
CVE-2020-4463 1Ibm 1Maximo Asset Management Nov 21, 2024 Jul 29, 2020 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information...Show more IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181484.Show less
CVE-2020-15419 1Veeam 1One Firmware Nov 21, 2024 Jul 28, 2020 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exi...Show more This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Reporter_ImportLicense class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10710.Show less
CVE-2020-15418 1Veeam 1One Firmware Nov 21, 2024 Jul 28, 2020 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exi...Show more This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSRSReport class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10709.Show less
CVE-2020-3405 1Cisco 1Sd Wan Firmware Nov 21, 2024 Jul 16, 2020 N/A· v4 7.3 HIGH· v3 4.9 MEDIUM· v2 A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to...Show more A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application.Show less
CVE-2020-4462 1Ibm 2Sterling External Authentication Server Sterling Secure Proxy Nov 21, 2024 Jul 16, 2020 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM Sterling External Authentication Server 6.0.1, 6.0.0, 2.4.3.2, and 2.4.2 and IBM Sterling Secure Proxy 6.0.1, 6.0.0, 3.4.3, and 3.4.2 are vulnerable to an XML External Entity Injection (XXE) attack when processing XM...Show more IBM Sterling External Authentication Server 6.0.1, 6.0.0, 2.4.3.2, and 2.4.2 and IBM Sterling Secure Proxy 6.0.1, 6.0.0, 3.4.3, and 3.4.2 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181482.Show less
CVE-2020-12684 1Inetsoftware 1I Net Clear Reports Nov 21, 2024 Jul 15, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 XXE injection can occur in i-net Clear Reports 2019 19.0.287 (Designer), as used in i-net HelpDesk and other products, when XML input containing a reference to an external entity is processed by a weakly configured XML p...Show more XXE injection can occur in i-net Clear Reports 2019 19.0.287 (Designer), as used in i-net HelpDesk and other products, when XML input containing a reference to an external entity is processed by a weakly configured XML parser.Show less
CVE-2019-17637 2Debian Eclipse 2Debian Linux Web Tools Platform Nov 21, 2024 Jul 15, 2020 N/A· v4 7.1 HIGH· v3 5.8 MEDIUM· v2 In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or vali...Show more In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences.Show less
CVE-2020-4510 1Ibm 1Qradar Security Information And Event Manager Nov 21, 2024 Jul 14, 2020 N/A· v4 5.5 MEDIUM· v3 5.5 MEDIUM· v2 IBM QRadar SIEM 7.3 and 7.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory re...Show more IBM QRadar SIEM 7.3 and 7.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 182365.Show less

Previous 1...353637...63 Next