Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-2120 1Jenkins 1Fitnesse Nov 21, 2024 Feb 12, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
CVE-2020-2115 1Jenkins 1Nunit Nov 21, 2024 Feb 12, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
CVE-2014-2052 1Owncloud 2Owncloud Owncloud Server Mar 31, 2025 Feb 11, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE)...Show more Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.Show less
CVE-2013-4334 1Tejimaya 1Opwebapiplugin Nov 21, 2024 Feb 7, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 opWebAPIPlugin 0.5.1, 0.4.0, and 0.1.0: XXE Vulnerabilities
CVE-2019-10782 1Checkstyle 1Checkstyle Nov 21, 2024 Jan 30, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658.
CVE-2020-2108 1Jenkins 1Websphere Deployer Nov 21, 2024 Jan 29, 2020 N/A· v4 7.6 HIGH· v3 6.5 MEDIUM· v2 Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions.
CVE-2019-4707 1Ibm 1Security Access Manager Nov 21, 2024 Jan 28, 2020 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Security Access Manager Appliance 9.0.7.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or...Show more IBM Security Access Manager Appliance 9.0.7.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 172018.Show less
CVE-2013-4333 1Tejimaya 1Openpne Nov 21, 2024 Jan 24, 2020 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 OpenPNE 3 versions 3.8.7, 3.6.11, 3.4.21.1, 3.2.7.6, 3.0.8.5 has an External Entity Injection Vulnerability
CVE-2015-1811 1Jenkins 1Cloudbees Nov 21, 2024 Jan 15, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document.
CVE-2015-1809 1Jenkins 1Cloudbees Nov 21, 2024 Jan 15, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.
CVE-2020-2092 1Jenkins 1Robot Framework Nov 21, 2024 Jan 15, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jenkins Robot Framework Plugin 2.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing users with Job/Configure to have Jenkins parse crafted XML documents.
CVE-2019-18412 1Jetbrains 1Idetalk Nov 21, 2024 Jan 15, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 JetBrains IDETalk plugin before version 193.4099.10 allows XXE
CVE-2015-8549 1Pyamf 1Pyamf Nov 21, 2024 Jan 15, 2020 N/A· v4 7.1 HIGH· v3 5.8 MEDIUM· v2 XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows remote attackers to cause a denial of service or read arbitrary files via a crafted Action Message Format (AMF) payload.
CVE-2014-5238 1Open Xchange 1Open Xchange Appsuite Nov 21, 2024 Jan 14, 2020 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted Ope...Show more XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text document.Show less
CVE-2020-6958 1Yet Another Java Service Wrapper Project 1Yet Another Java Service Wrapper Nov 21, 2024 Jan 14, 2020 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 An XXE vulnerability in JnlpSupport in Yet Another Java Service Wrapper (YAJSW) 12.14, as used in NSA Ghidra and other products, allows attackers to exfiltrate data from remote hosts and potentially cause denial-of-servi...Show more An XXE vulnerability in JnlpSupport in Yet Another Java Service Wrapper (YAJSW) 12.14, as used in NSA Ghidra and other products, allows attackers to exfiltrate data from remote hosts and potentially cause denial-of-service.Show less
CVE-2019-17020 2Canonical Mozilla 2Firefox Ubuntu Linux Nov 21, 2024 Jan 8, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes J...Show more If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. This vulnerability affects Firefox < 72.Show less
CVE-2019-15983 1Cisco 1Data Center Network Manager Nov 21, 2024 Jan 6, 2020 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability in the SOAP API of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. To exploit this vulnerabi...Show more A vulnerability in the SOAP API of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. To exploit this vulnerability, an attacker would need administrative privileges on the DCNM application. The vulnerability exists because the SOAP API improperly handles XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by inserting malicious XML content in an API request. A successful exploit could allow the attacker to read arbitrary files from the affected device. Note: The severity of this vulnerability is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one.Show less
CVE-2019-20153 1Determine 1Contract Lifecycle Management Nov 21, 2024 Jan 5, 2020 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) in v5.4. An XML external entity (XXE) vulnerability in the upload definition feature in definition_upload_attach.jsp allows au...Show more An issue was discovered in Determine (formerly Selectica) Contract Lifecycle Management (CLM) in v5.4. An XML external entity (XXE) vulnerability in the upload definition feature in definition_upload_attach.jsp allows authenticated remote attackers to read arbitrary files (including configuration files containing administrative credentials).Show less
CVE-2019-3768 1Emc 1Rsa Authentication Manager Nov 21, 2024 Jan 3, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 RSA Authentication Manager versions prior to 8.4 P7 contain an XML Entity Injection Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to cause information disclosure of loc...Show more RSA Authentication Manager versions prior to 8.4 P7 contain an XML Entity Injection Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to cause information disclosure of local system files by supplying specially crafted XML message.Show less
CVE-2019-19032 1Xmlblueprint 1Xmlblueprint Nov 21, 2024 Dec 30, 2019 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 XMLBlueprint through 16.191112 is affected by XML External Entity Injection. The impact is: Arbitrary File Read when an XML File is validated. The component is: XML Validate function. The attack vector is: Specially craf...Show more XMLBlueprint through 16.191112 is affected by XML External Entity Injection. The impact is: Arbitrary File Read when an XML File is validated. The component is: XML Validate function. The attack vector is: Specially crafted XML payload.Show less

Previous 1...383940...63 Next