Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-1000838 1Sleuthkit 1Autopsy Nov 21, 2024 Dec 20, 2018 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be...Show more autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted CaseMetadata.Show less
CVE-2018-1000837 1Obeo 1Uml Designer Nov 21, 2024 Dec 20, 2018 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to...Show more UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious plugins.xml file.Show less
CVE-2018-1000836 1Apereo 1Bw Calendar Engine Nov 21, 2024 Dec 20, 2018 N/A· v4 9.0 CRITICAL· v3 6.8 MEDIUM· v2 bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port s...Show more bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.Show less
CVE-2018-1000835 1Keepassdx 1Keepass Dx Nov 21, 2024 Dec 20, 2018 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 KeePassDX version <= 2.5.0.0beta17 contains a XML External Entity (XXE) vulnerability in kdbx file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.
CVE-2018-1000834 1Runelite 1Runelite Nov 21, 2024 Dec 20, 2018 N/A· v4 9.0 CRITICAL· v3 6.8 MEDIUM· v2 runelite version <= runelite-parent-1.4.23 contains a XML External Entity (XXE) vulnerability in Man in the middle runscape services call that can result in Disclosure of confidential data, denial of service, SSRF, port...Show more runelite version <= runelite-parent-1.4.23 contains a XML External Entity (XXE) vulnerability in Man in the middle runscape services call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.Show less
CVE-2018-1000831 1K9mail 1K 9 Mail Nov 21, 2024 Dec 20, 2018 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 K9Mail version <= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be e...Show more K9Mail version <= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious WebDAV server or intercept the reponse of a valid WebDAV server.Show less
CVE-2018-1000830 1Xr3player Project 1Xr3player Nov 21, 2024 Dec 20, 2018 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 XR3Player version <= V3.124 contains a XML External Entity (XXE) vulnerability in Playlist parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.
CVE-2018-1000829 1Anyplace Project 1Anyplace Nov 21, 2024 Dec 20, 2018 N/A· v4 9.0 CRITICAL· v3 6.8 MEDIUM· v2 Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. T...Show more Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 80359b4.Show less
CVE-2018-1000828 1Frostwire 1Frostwire Nov 21, 2024 Dec 20, 2018 N/A· v4 9.0 CRITICAL· v3 6.8 MEDIUM· v2 FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of service, SSRF, port s...Show more FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the middle the call to update the software.Show less
CVE-2018-1000825 1Freecol 1Freecol Nov 21, 2024 Dec 20, 2018 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 FreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack...Show more FreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Freecol file.Show less
CVE-2018-1000823 1Exist Db 1Exist Nov 21, 2024 Dec 20, 2018 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.
CVE-2018-1000822 1Codelibs 1Fess Nov 21, 2024 Dec 20, 2018 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attac...Show more codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b.Show less
CVE-2018-1000821 1Micromathematics Project 1Micromathematics Nov 21, 2024 Dec 20, 2018 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 MicroMathematics version before commit 5c05ac8 contains a XML External Entity (XXE) vulnerability in SMathStudio files that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This atta...Show more MicroMathematics version before commit 5c05ac8 contains a XML External Entity (XXE) vulnerability in SMathStudio files that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted SMathStudio files. This vulnerability appears to have been fixed in after commit 5c05ac8.Show less
CVE-2018-1000820 1Neo4j 1Awesome Procedures On Cyper Nov 21, 2024 Dec 20, 2018 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scannin...Show more neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 45bc09c.Show less
CVE-2018-20298 1S3browser 1S3 Browser Nov 21, 2024 Dec 19, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a malicious server via th...Show more S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a malicious server via the S3 protocol.Show less
CVE-2018-20157 1Openrefine 1Openrefine Nov 21, 2024 Dec 15, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-1821 1Ibm 1Operational Decision Manager Nov 21, 2024 Dec 13, 2018 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 IBM Operational Decision Management 8.5, 8.6, 8.7, 8.8, and 8.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensiti...Show more IBM Operational Decision Management 8.5, 8.6, 8.7, 8.8, and 8.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150170.Show less
CVE-2018-2492 1Sap 1Netweaver Application Server Java Nov 21, 2024 Dec 11, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.
CVE-2018-20059 1Pippo 1Pippo Nov 21, 2024 Dec 11, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.
CVE-2018-15805 1Accusoft 1Prizmdoc Nov 21, 2024 Dec 10, 2018 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).

Previous 1...464748...63 Next