CWE-611
1,244 CVEs • Abstraction: Base
Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVEs (1,244)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
1Rockwellautomation 1Studio 5000 Logix Designer Nov 21, 2024 Jul 14, 2020 N/A· v4 3.3 LOW· v3 4.3 MEDIUM· v2 Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program. |
1Mitsubishielectric 20Cpu Module Logging Configuration Tool Cw ConfiguratorEm Configurator+17 moreNov 21, 2024 Jun 30, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Mitsubishi Electoric FA Engineering Software (CPU Module Logging Configuration Tool Ver. 1.94Y and earlier, CW Configurator Ver. 1.010L and earlier, EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier,...Show more |
An issue was discovered in io/gpx/GPXDocumentReader.java in TuxGuitar 1.5.4. It uses misconfigured XML parsers, leading to XXE while loading GP6 (.gpx) and GP7 (.gp) tablature files. |
1Ibi 1Webfocus Business Intelligence Nov 21, 2024 Jun 22, 2020 N/A· v4 8.2 HIGH· v3 5.8 MEDIUM· v2 In WebFOCUS Business Intelligence 8.0 (SP6), the administration portal allows remote attackers to read arbitrary local files or forge server-side HTTP requests via a crafted HTTP request to /ibi_apps/WFServlet.cfg becaus...Show more |
1Open Xchange 1Open Xchange Appsuite Nov 21, 2024 Jun 16, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 OX App Suite through 7.10.3 allows XXE attacks. |
1Wso2 3Api Manager Api MicrogatewayIdentity Server As Key ManagerNov 21, 2024 Jun 6, 2020 N/A· v4 6.7 MEDIUM· v3 6.5 MEDIUM· v2 In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle. |
5Debian FedoraprojectNetapp+2 more5Debian Linux FedoraPostgresql Jdbc Driver+2 moreNov 21, 2024 Jun 4, 2020 N/A· v4 7.7 HIGH· v3 6.8 MEDIUM· v2 PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. |
1Ibm 1Qradar Security Information And Event Manager Nov 21, 2024 Jun 4, 2020 N/A· v4 7.6 HIGH· v3 5.5 MEDIUM· v2 IBM QRadar SIEM 7.3 and 7.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory re...Show more |
1Ibm 1Security Identity Governance And Intelligence Nov 21, 2024 May 28, 2020 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Security Identity Governance and Intelligence 5.2.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive info...Show more |
Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated attackers with network access to the Panorama management interfa...Show more |
4Apache FedoraprojectNetapp+1 more7Application Testing Suite FedoraHospitality Opera 5+4 moreNov 21, 2024 May 11, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration...Show more |
In TechSmith SnagIt 11.2.1 through 20.0.3, an XML External Entity (XXE) injection issue exists that would allow a local attacker to exfiltrate data under the local Administrator account. |
1Wso2 7Api Manager Api Manager AnalyticsApi Microgateway+4 moreNov 21, 2024 May 8, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as K...Show more |
1Cisco 1Hosted Collaboration Mediation Fulfillment Nov 21, 2024 May 6, 2020 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability in the web-based management interface of Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) Software could allow an authenticated, remote attacker to gain read access to information that is stored o...Show more |
An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import. |
5Canonical Dom4j ProjectNetapp+2 more38Agile Plm Application Testing SuiteBanking Platform+35 moreNov 21, 2024 May 1, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe,...Show more |
WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file. |
Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partiall...Show more |
WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. Specially crafted XML input could allow an attacker to read sensitive files. |