Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-4391 1Hcltech 1Appscan Nov 21, 2024 Apr 7, 2020 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 HCL AppScan Standard is vulnerable to XML External Entity Injection (XXE) attack when processing XML data
CVE-2020-11586 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that contains malicious XML DTD data.
CVE-2020-10993 1Osmand 1Osmand Nov 21, 2024 Mar 27, 2020 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java.
CVE-2020-10992 1Azkaban Project 1Azkaban Nov 21, 2024 Mar 27, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java.
CVE-2020-10991 1Mulesoft 1Aplkit Nov 21, 2024 Mar 27, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java
CVE-2020-10990 1Accenture 1Mercury Nov 21, 2024 Mar 27, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component.
CVE-2020-2171 1Jenkins 1Rapiddeploy Nov 21, 2024 Mar 25, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2019-20627 1Rbsoft 1Autoupdater.net Nov 21, 2024 Mar 23, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE.
CVE-2020-10799 1Svglib Project 1Svglib Nov 21, 2024 Mar 20, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call.
CVE-2019-20191 1Sync 3Oxygen Xml Author Oxygen Xml DeveloperOxygen Xml Editor Nov 21, 2024 Mar 16, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Oxygen XML Editor 21.1.1 allows XXE to read any file.
CVE-2020-8540 1Zohocorp 1Manageengine Desktop Central Nov 21, 2024 Mar 11, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) atta...Show more An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.Show less
CVE-2020-9044 1Johnsoncontrols 13Metasys Application And Data Server Metasys Extended Application And Data ServerMetasys Lonworks Control Server+10 more Nov 21, 2024 Mar 10, 2020 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Se...Show more XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.Show less
CVE-2020-2144 1Jenkins 1Rundeck Nov 21, 2024 Mar 9, 2020 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2138 1Jenkins 1Cobertura Nov 21, 2024 Mar 9, 2020 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2015-7968 1Sap 1Netweaver Application Server Nov 21, 2024 Mar 9, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 nwbc_ext2int in SAP NetWeaver Application Server before Security Note 2183189 allows XXE attacks for local file inclusion via the sap/bc/ui2/nwbc/nwbc_ext2int/ URI.
CVE-2020-9352 1Smartclient 1Smartclient Nov 21, 2024 Feb 23, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the...Show more An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter. NOTE: the documentation states "These tools are, by default, available to anyone ... so they should only be deployed into a trusted environment. Alternately, the tools can easily be restricted to administrators or end users by protecting the tools path with normal authentication and authorization mechanisms on the web server."Show less
CVE-2020-1693 1Redhat 1Spacewalk Nov 21, 2024 Feb 17, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain...Show more A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server.Show less
CVE-2019-6194 1Lenovo 1Xclarity Administrator Nov 21, 2024 Feb 14, 2020 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow information disclosure.
CVE-2020-1975 1Paloaltonetworks 1Pan Os Nov 21, 2024 Feb 12, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation. This issue affects PAN-OS 8....Show more Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation. This issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.12 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.6. This issue does not affect PAN-OS 7.1, PAN-OS 8.0, or PAN-OS 9.1 or later versions.Show less
CVE-2020-6187 1Sap 1Netweaver Guided Procedures Nov 21, 2024 Feb 12, 2020 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service.

Previous 1...373839...63 Next