Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-19031 1Edit Xml 1Easy Xml Editor Nov 21, 2024 Dec 30, 2019 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML...Show more Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload.Show less
CVE-2019-19998 1Xiuno 1Xiunobbs Nov 21, 2024 Dec 26, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token.php.
CVE-2012-2656 1Talend 1Restlet Nov 21, 2024 Dec 18, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An XML eXternal Entity (XXE) issue exists in Restlet 1.1.10 in an endpoint using XML transport, which lets a remote attacker obtain sensitive information.
CVE-2019-16549 1Jenkins 1Maven Nov 21, 2024 Dec 17, 2019 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents.
CVE-2014-3643 1Jersey Project 1Jersey Nov 21, 2024 Dec 15, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2019-19702 1Modoboa 1Modoboa Dmarc Nov 21, 2024 Dec 10, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC re...Show more The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain.Show less
CVE-2019-11216 1Bmc 1Remedy Smart Reporting Nov 21, 2024 Dec 4, 2019 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML e...Show more BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed.Show less
CVE-2019-17554 1Apache 1Olingo Nov 21, 2024 Dec 4, 2019 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserializat...Show more The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.Show less
CVE-2011-3600 1Apache 1Ofbiz Nov 21, 2024 Nov 26, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem...Show more The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.Show less
CVE-2019-10080 1Apache 1Nifi Nov 21, 2024 Nov 19, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and re...Show more The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.Show less
CVE-2019-17085 1Microfocus 1Operations Agent Nov 21, 2024 Nov 18, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 XXE attack vulnerability on Micro Focus Operations Agent, affected version 12.0, 12.01, 12.02, 12.03, 12.04, 12.05, 12.06, 12.10, 12.11. The vulnerability could be exploited to do an XXE attack on Operations Agent.
CVE-2018-20687 1Raritan 1Commandcenter Secure Gateway Nov 21, 2024 Nov 18, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An XML external entity (XXE) vulnerability in CommandCenterWebServices/.?wsdl in Raritan CommandCenter Secure Gateway before 8.0.0 allows remote unauthenticated users to read arbitrary files or conduct server-side reque...Show more An XML external entity (XXE) vulnerability in CommandCenterWebServices/.?wsdl in Raritan CommandCenter Secure Gateway before 8.0.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.Show less
CVE-2019-10172 4Apache DebianFasterxml+1 more 5Debian Linux Jackson Mapper AslJboss Enterprise Application Platform+2 more Nov 21, 2024 Nov 18, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
CVE-2019-14678 1Sas 2Base Sas Xml Mapper Nov 21, 2024 Nov 14, 2019 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forger...Show more SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.Show less
CVE-2014-3599 1Redhat 1Hornetq Nov 21, 2024 Nov 12, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
CVE-2019-12331 1Phpoffice 1Phpspreadsheet Nov 21, 2024 Nov 7, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-...Show more PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚<!ENTITY‘ and thus allowing for an xml external entity processing (XXE) attack.Show less
CVE-2019-8126 1Magento 1Magento Nov 21, 2024 Nov 5, 2019 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The...Show more An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.Show less
CVE-2019-18227 1Advantech 1Wise Paas/rmm Nov 21, 2024 Oct 31, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data.
CVE-2019-9757 1Labkey 1Labkey Server Nov 21, 2024 Oct 29, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read.
CVE-2017-15725 1Devada 1Dzone Answerhub Nov 21, 2024 Oct 28, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An XML External Entity Injection vulnerability exists in Dzone AnswerHub.

Previous 1...394041...63 Next