Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-20222 1Airsonic Project 1Airsonic Nov 21, 2024 Apr 4, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 XXE issue in Airsonic before 10.1.2 during parse.
CVE-2019-4043 1Ibm 1Sterling B2b Integrator Nov 21, 2024 Apr 2, 2019 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensiti...Show more IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 156239.Show less
CVE-2017-18111 1Atlassian 1Application Links Nov 21, 2024 Mar 29, 2019 N/A· v4 8.7 HIGH· v3 5.5 MEDIUM· v2 The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when cons...Show more The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability.Show less
CVE-2017-18110 1Atlassian 1Crowd Nov 21, 2024 Mar 29, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.
CVE-2019-3481 1Hp 1Arcsight Logger Nov 21, 2024 Mar 25, 2019 N/A· v4 7.1 HIGH· v3 7.5 HIGH· v2 Mitigates a XML External Entity Parsing issue in ArcSight Logger versions prior to 6.7.
CVE-2017-9362 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Mar 25, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API.
CVE-2019-8997 1Blackberry 1Athoc Nov 21, 2024 Mar 21, 2019 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the appl...Show more An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted XML in an existing field.Show less
CVE-2019-9761 1Phpshe 1Phpshe Nov 21, 2024 Mar 14, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An XXE issue was discovered in PHPSHE 1.7, which can be used to read any file in the system or scan the internal network without authentication. This occurs because of the call to wechat_getxml in include/plugin/payment/...Show more An XXE issue was discovered in PHPSHE 1.7, which can be used to read any file in the system or scan the internal network without authentication. This occurs because of the call to wechat_getxml in include/plugin/payment/wechat/notify_url.php.Show less
CVE-2019-5918 1Nablarch Project 1Nablarch Nov 21, 2024 Mar 12, 2019 N/A· v4 9.1 CRITICAL· v3 8.5 HIGH· v2 Nablarch 5 (5, and 5u1 to 5u13) allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
CVE-2019-0277 1Sap 1Hana Extended Application Services Nov 21, 2024 Mar 12, 2019 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External Entity vulnerability).
CVE-2019-9658 3Checkstyle DebianFedoraproject 3Checkstyle Debian LinuxFedora Nov 21, 2024 Mar 11, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Checkstyle before 8.18 loads external DTDs by default.
CVE-2019-1698 1Cisco 1Iot Field Network Director Nov 21, 2024 Feb 21, 2019 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an...Show more A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by importing a crafted XML file with malicious entries, which could allow the attacker to read files within the affected application. Versions prior to 4.4(0.26) are affected.Show less
CVE-2018-1727 1Ibm 1Infosphere Information Server Nov 21, 2024 Feb 15, 2019 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive i...Show more IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147630.Show less
CVE-2019-0265 1Sap 5Advanced Business Application Programming Platform Kernel Advanced Business Application Programming Platform Krnl32nucAdvanced Business Application Programming Platform Krnl32uc+2 more Nov 21, 2024 Feb 15, 2019 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.2...Show more SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49,KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73 KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75.Show less
CVE-2019-7722 1Pmd Project 1Pmd Nov 21, 2024 Feb 11, 2019 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets)...Show more PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)Show less
CVE-2019-1003015 1Jenkins 1Job Import Nov 21, 2024 Feb 6, 2019 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to co...Show more An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc.Show less
CVE-2018-1970 1Ibm 1Security Access Manager Nov 21, 2024 Feb 4, 2019 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Security Identity Manager 7.0.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume me...Show more IBM Security Identity Manager 7.0.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 153751.Show less
CVE-2018-1801 1Ibm 3App Connect Integration BusWebsphere Message Broker Nov 21, 2024 Feb 4, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 IBM App Connect V11.0.0.0 through V11.0.0.1, IBM Integration Bus V10.0.0.0 through V10.0.0.13, IBM Integration Bus V9.0.0.0 through V9.0.0.10, and WebSphere Message Broker V8.0.0.0 through V8.0.0.9 is vulnerable to a XML...Show more IBM App Connect V11.0.0.0 through V11.0.0.1, IBM Integration Bus V10.0.0.0 through V10.0.0.13, IBM Integration Bus V9.0.0.0 through V9.0.0.10, and WebSphere Message Broker V8.0.0.0 through V8.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to consume memory resources. IBM X-Force ID: 149639.Show less
CVE-2018-19858 1Princexml 1Princexml Nov 21, 2024 Jan 30, 2019 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 PrinceXML, versions 10 and below, is vulnerable to XXE due to the lack of protection against external entities. If an attacker passes HTML referencing an XML file (e.g., in an IFRAME element), PrinceXML will fetch the XM...Show more PrinceXML, versions 10 and below, is vulnerable to XXE due to the lack of protection against external entities. If an attacker passes HTML referencing an XML file (e.g., in an IFRAME element), PrinceXML will fetch the XML and parse it, thus giving an attacker file-read access and full-fledged SSRF.Show less
CVE-2019-3774 1Pivotal Software 1Spring Batch Nov 21, 2024 Jan 18, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Previous 1...444546...63 Next