Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-8087 1Adobe 1Experience Manager Nov 21, 2024 Oct 25, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-8086 1Adobe 1Experience Manager Nov 21, 2024 Oct 25, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-8082 1Adobe 1Experience Manager Nov 21, 2024 Oct 25, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2019-18213 3Eclipse Theia Xml Extension ProjectXml Language Server Project 3Theia Xml Extension Wild Web DeveloperXml Server Project Nov 21, 2024 Oct 23, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as w...Show more XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response capture for password cracking). This occurs in extensions/contentmodel/participants/diagnostics/LSPXMLParserConfiguration.java.Show less
CVE-2019-12415 2Apache Oracle 27Application Testing Suite Banking Enterprise OriginationsBanking Enterprise Product Manufacturing+24 more Nov 21, 2024 Oct 23, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from intern...Show more In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.Show less
CVE-2019-10466 1Jenkins 1360 Fireline Nov 21, 2024 Oct 23, 2019 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins age...Show more An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.Show less
CVE-2019-14276 1Xnat 1Xnat Nov 21, 2024 Oct 23, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 WUSTL XNAT 1.7.5.3 allows XXE attacks via a POST request body.
CVE-2019-1060 1Microsoft 6Windows 10 Windows 8.1Windows Rt 8.1+3 more Nov 21, 2024 Oct 10, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'.
CVE-2019-12711 1Cisco 1Unified Communications Manager Nov 21, 2024 Oct 2, 2019 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to access sensi...Show more A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by sending malicious requests to an affected system that contain references in XML entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a DoS condition.Show less
CVE-2019-16188 1Hcltech 1Appscan Source Nov 21, 2024 Sep 25, 2019 N/A· v4 7.1 HIGH· v3 5.8 MEDIUM· v2 HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to...Show more HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks.Show less
CVE-2019-9488 1Trendmicro 2Deep Security Manager Vulnerability Protection Nov 21, 2024 Sep 11, 2019 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 Trend Micro Deep Security Manager (10.x, 11.x) and Vulnerability Protection (2.0) are vulnerable to a XML External Entity Attack. However, for the attack to be possible, the attacker must have root/admin access to a prot...Show more Trend Micro Deep Security Manager (10.x, 11.x) and Vulnerability Protection (2.0) are vulnerable to a XML External Entity Attack. However, for the attack to be possible, the attacker must have root/admin access to a protected host which is authorized to communicate with the Deep Security Manager (DSM).Show less
CVE-2019-16174 1Limesurvey 1Limesurvey Nov 21, 2024 Sep 9, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity.
CVE-2019-6179 1Lenovo 2Xclarity Administrator Xclarity Integrator Nov 21, 2024 Sep 3, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, an...Show more An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure.Show less
CVE-2019-13608 1Citrix 1Storefront Server Nov 6, 2025 Aug 29, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
CVE-2019-15641 1Webmin 1Webmin Nov 21, 2024 Aug 26, 2019 N/A· v4 6.5 MEDIUM· v3 6.8 MEDIUM· v2 xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi.
CVE-2019-15637 1Tableau 4Tableau Desktop Tableau Public DesktopTableau Reader+1 more Nov 21, 2024 Aug 26, 2019 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau P...Show more Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop.Show less
CVE-2019-4513 1Ibm 1Security Access Manager For Enterprise Single Sign On Nov 21, 2024 Aug 26, 2019 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensit...Show more IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 164555.Show less
CVE-2019-14258 1Zenoss 1Zenoss Nov 21, 2024 Aug 21, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988.
CVE-2019-4424 1Ibm 2Business Automation Workflow Business Process Manager Nov 21, 2024 Aug 20, 2019 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, and 19.0.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerab...Show more IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, and 19.0.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162770.Show less
CVE-2019-4340 1Ibm 1Security Guardium Big Data Intelligence Nov 21, 2024 Aug 20, 2019 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM Security Guardium Big Data Intelligence 4.0 (SonarG) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive inf...Show more IBM Security Guardium Big Data Intelligence 4.0 (SonarG) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 161419.Show less

Previous 1...404142...63 Next