Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-3773 2Oracle Pivotal Software 3Financial Services Analytical Applications Infrastructure Flexcube Private BankingSpring Web Services Nov 21, 2024 Jan 18, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CVE-2019-3772 2Oracle Vmware 2Retail Customer Management And Segmentation Foundation Spring Integration Nov 21, 2024 Jan 18, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML da...Show more Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.Show less
CVE-2018-20233 1Atlassian 1Universal Plugin Manager Nov 21, 2024 Jan 18, 2019 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of servic...Show more The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.Show less
CVE-2018-2019 1Ibm 1Security Identity Manager Nov 21, 2024 Jan 18, 2019 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Security Identity Manager 6.0.0 Virtual Appliance is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive informa...Show more IBM Security Identity Manager 6.0.0 Virtual Appliance is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 155265.Show less
CVE-2018-20733 1Sas 1Web Infrastructure Platform Nov 21, 2024 Jan 17, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 BI Web Services in SAS Web Infrastructure Platform before 9.4M6 allows XXE.
CVE-2015-9280 1Mailenable 1Mailenable Nov 21, 2024 Jan 16, 2019 N/A· v4 10.0 CRITICAL· v3 5.0 MEDIUM· v2 MailEnable before 8.60 allows XXE via an XML document in the request.aspx Options parameter.
CVE-2018-16166 1Jpcert 1Logontracer Nov 21, 2024 Jan 9, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
CVE-2019-5748 1Traccar 1Server Nov 21, 2024 Jan 9, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks.
CVE-2018-11788 1Apache 1Karaf Nov 21, 2024 Jan 7, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputF...Show more Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.Show less
CVE-2019-5312 1Wxjava Project 1Wxjava Sep 12, 2025 Jan 4, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in weixin-java-tools v3.3.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. NOTE: this issue exists because of an incomplete fix for CVE-2018-20318.
CVE-2018-20664 1Zohocorp 1Manageengine Adselfservice Plus Nov 21, 2024 Jan 3, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.
CVE-2018-19371 1Sdl 1Web Content Manager Nov 21, 2024 Jan 2, 2019 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The SaveUserSettings service in Content Manager in SDL Web 8.5.0 has an XXE Vulnerability that allows reading sensitive files from the system.
CVE-2018-14720 4Debian FasterxmlOracle+1 more 12Banking Platform Communications Billing And Revenue ManagementDebian Linux+9 more Nov 21, 2024 Jan 2, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CVE-2018-1000889 1Logisim Evolution Project 1Logisim Evolution Nov 21, 2024 Dec 28, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in inform...Show more Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in information leak, possible RCE depending on system configuration. This attack appears to be exploitable via the victim opening a specially crafted circuit file. This vulnerability appears to have been fixed in 2.14.4.Show less
CVE-2018-7837 1Schneider Electric 1Iiot Monior Nov 21, 2024 Dec 24, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An Improper Restriction of XML External Entity Reference ('XXE') vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents outside of the intended sph...Show more An Improper Restriction of XML External Entity Reference ('XXE') vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents outside of the intended sphere of control, causing the software to embed incorrect documents into its output and expose restricted information.Show less
CVE-2018-20433 2Debian Mchange 2C3p0 Debian Linux Nov 21, 2024 Dec 24, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
CVE-2018-20318 1Wxjava Project 1Wxjava Nov 21, 2024 Dec 21, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file.
CVE-2018-17247 1Elastic 1Elasticsearch Nov 21, 2024 Dec 20, 2018 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then...Show more Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.Show less
CVE-2018-1000844 1Squareup 1Retrofit Nov 21, 2024 Dec 20, 2018 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files...Show more Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.Show less
CVE-2018-1000840 1Processing 1Processing Nov 21, 2024 Dec 20, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via...Show more Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document.Show less

Previous 1...454647...63 Next