Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-4433 1Ibm 2Infosphere Global Name Management Infosphere Identity Insight Nov 21, 2024 Aug 20, 2019 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM InfoSphere Global Name Management 5.0 and 6.0 and IBM InfoSphere Identity Insight 8.1 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit t...Show more IBM InfoSphere Global Name Management 5.0 and 6.0 and IBM InfoSphere Identity Insight 8.1 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162890.Show less
CVE-2019-4419 1Ibm 3Intelligent Operations Center Intelligent Operations Center For Emergency ManagementWater Operations For Waternamics Nov 21, 2024 Aug 20, 2019 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM Intelligent Operations Center V5.1.0 through V5.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive info...Show more IBM Intelligent Operations Center V5.1.0 through V5.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162737.Show less
CVE-2019-1187 1Microsoft 8Windows 10 Windows 7Windows 8.1+5 more Feb 20, 2026 Aug 14, 2019 N/A· v4 5.5 MEDIUM· v3 5.0 MEDIUM· v2 A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML applic...Show more A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input.Show less
CVE-2019-1057 1Microsoft 8Windows 10 Windows 7Windows 8.1+5 more Feb 20, 2026 Aug 14, 2019 N/A· v4 7.5 HIGH· v3 9.3 HIGH· v2 A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take cont...Show more A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the user’s system. To exploit the vulnerability, an attacker could host a specially crafted website designed to invoke MSXML through a web browser. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or instant message that would then take the user to the website. When Internet Explorer parses the XML content, an attacker could run malicious code remotely to take control of the user’s system. The update addresses the vulnerability by correcting how the MSXML parser processes user input.Show less
CVE-2019-0340 1Sap 1Enable Now Nov 21, 2024 Aug 14, 2019 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. This issue affects the file upload at multiple locations. An a...Show more The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. This issue affects the file upload at multiple locations. An attacker can read local XXE files.Show less
CVE-2019-14693 1Zohocorp 1Manageengine Assetexplorer Nov 21, 2024 Aug 8, 2019 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or...Show more Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.Show less
CVE-2019-13176 13cx 13cx Nov 21, 2024 Aug 8, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential...Show more An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS).Show less
CVE-2018-14383 1Ttpsc 1The Scheduler Nov 21, 2024 Aug 7, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. It was fixed in the versions 5.2.1 and 3.3.7
CVE-2017-18438 1Cpanel 1Cpanel Nov 21, 2024 Aug 2, 2019 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls (SEC-242).
CVE-2019-4456 1Ibm 1Daeja Viewone Nov 21, 2024 Jul 30, 2019 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sen...Show more IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 163620.Show less
CVE-2019-4062 1Ibm 1I2 Intelligent Analysis Platform Nov 21, 2024 Jul 30, 2019 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive info...Show more IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 157007.Show less
CVE-2019-10266 1Ahsay 1Cloud Backup Suite Nov 21, 2024 Jul 26, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a URL, it is possible to read the file structure and even the content of files without authentication.
CVE-2019-10264 1Ahsay 1Cloud Backup Suite Nov 21, 2024 Jul 26, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing...Show more An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE.Show less
CVE-2019-13990 5Apache AtlassianNetapp+2 more 31Active Iq Unified Manager Apache Batik MapviewerBanking Enterprise Originations+28 more Nov 21, 2024 Jul 26, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
CVE-2019-10976 1Mitsubishielectric 1Electric Fr Configurator2 Firmware Nov 21, 2024 Jul 26, 2019 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user...Show more Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.Show less
CVE-2019-2861 1Oracle 1Hyperion Planning Nov 21, 2024 Jul 23, 2019 N/A· v4 4.2 MEDIUM· v3 2.1 LOW· v2 Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker...Show more Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data. CVSS 3.0 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N).Show less
CVE-2019-1010202 1Jeesite 1Jeesite Nov 21, 2024 Jul 23, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is: sensitive information disclosure. The component is: convertToModel() function in src/main/java/com.thinkgem.jeesite/modules/act/service/ActProcessSe...Show more Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is: sensitive information disclosure. The component is: convertToModel() function in src/main/java/com.thinkgem.jeesite/modules/act/service/ActProcessService.java. The attack vector is: network connectivity,authenticated,must upload a specially crafted xml file. The fixed version is: 4.0 and later.Show less
CVE-2019-7847 1Adobe 1Campaign Nov 21, 2024 Jul 18, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the fil...Show more Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user.Show less
CVE-2019-1010268 1Ladon Project 1Ladon Nov 21, 2024 Jul 18, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is...Show more Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.Show less
CVE-2019-13625 1Nsa 1Ghidra Nov 21, 2024 Jul 17, 2019 N/A· v4 9.1 CRITICAL· v3 9.4 HIGH· v2 NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file.

Previous 1...414243...63 Next