CWE-611
1,244 CVEs • Abstraction: Base
Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVEs (1,244)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
1Synacor 1Zimbra Collaboration Suite Nov 21, 2024 May 29, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd. |
2Apache Oracle5Camel Enterprise Data QualityEnterprise Manager Base Platform+2 moreNov 21, 2024 May 28, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed. |
ClientServiceConfigController.cs in Enghouse Cloud Contact Center Platform 7.2.5 has functionality for loading external XML files and parsing them, allowing an attacker to upload a malicious XML file and reference it in...Show more |
1Cyberark 1Enterprise Password Vault Nov 21, 2024 May 8, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a c...Show more |
1Ibm 1Tririga Application Platform Nov 21, 2024 May 7, 2019 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information...Show more |
BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd. |
1Zohocorp 1Manageengine Firewall Analyzer Nov 21, 2024 May 2, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection. |
1Jenkins 1Self Organizing Swarm Modules Nov 21, 2024 Apr 30, 2019 N/A· v4 9.3 CRITICAL· v3 4.8 MEDIUM· v2 Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attacker...Show more |
Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen. |
An XML external entity (XXE) vulnerability in Kofax Front Office Server Administration Console version 4.1.1.11.0.5212 allows remote authenticated users to read arbitrary files via crafted XML inside an imported package...Show more |
1Blackberry 1Unified Endpoint Management Nov 21, 2024 Apr 18, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account. |
3Apache FedoraprojectOracle14Banking Corporate Lending Process Management Banking Credit Facilities Process ManagementBanking Supply Chain Finance+11 moreNov 21, 2024 Apr 17, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. |
SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML E...Show more |
1Microsoft 8Windows 10 Windows 7Windows 8.1+5 moreNov 21, 2024 Apr 9, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-07...Show more |
1Microsoft 8Windows 10 Windows 7Windows 8.1+5 moreNov 21, 2024 Apr 9, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-07...Show more |
1Microsoft 8Windows 10 Windows 7Windows 8.1+5 moreNov 21, 2024 Apr 9, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-07...Show more |
1Microsoft 8Windows 10 Windows 7Windows 8.1+5 moreNov 21, 2024 Apr 9, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-07...Show more |
1Microsoft 7Windows 10 Windows 7Windows 8.1+4 moreNov 21, 2024 Apr 9, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0791, CVE-2019-07...Show more |
In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XX...Show more |
1Microsoft 8Windows 10 Windows 7Windows 8.1+5 moreNov 21, 2024 Apr 9, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. |