Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVEs (1,244)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-20000 1Apereo 1Bw Webdav Nov 21, 2024 Dec 10, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.j...Show more Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java.Show less
CVE-2018-7063 1Arubanetworks 1Clearpass Policy Manager Nov 21, 2024 Dec 7, 2018 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 In Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of t...Show more In Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts.Show less
CVE-2018-1920 1Ibm 1Marketing Platform Nov 21, 2024 Dec 7, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or c...Show more IBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152855.Show less
CVE-2018-1424 1Ibm 1Marketing Platform Nov 21, 2024 Dec 7, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Marketing Platform 9.1.0, 9.1.2, and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or...Show more IBM Marketing Platform 9.1.0, 9.1.2, and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 139029.Show less
CVE-2018-15362 1Ge 1Cimplicity Nov 21, 2024 Dec 7, 2018 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0
CVE-2018-16792 1Solarwinds 1Sftp/scp Server Nov 21, 2024 Dec 5, 2018 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data.
CVE-2018-1730 1Ibm 1Qradar Security Information And Event Manager Nov 21, 2024 Dec 5, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM QRadar SIEM 7.2 and 7.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory res...Show more IBM QRadar SIEM 7.2 and 7.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147709.Show less
CVE-2018-1905 1Ibm 1Websphere Application Server Nov 21, 2024 Nov 26, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM WebSphere Application Server 9.0.0.0 through 9.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive info...Show more IBM WebSphere Application Server 9.0.0.0 through 9.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152534.Show less
CVE-2018-19244 1Charlesproxy 1Charles Nov 21, 2024 Nov 13, 2018 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 An XML External Entity (XXE) vulnerability exists in the Charles 4.2.7 import/export setup option. If a user imports a "Charles Settings.xml" file from an attacker, an intranet network may be accessed and information may...Show more An XML External Entity (XXE) vulnerability exists in the Charles 4.2.7 import/export setup option. If a user imports a "Charles Settings.xml" file from an attacker, an intranet network may be accessed and information may be leaked.Show less
CVE-2018-15444 1Cisco 1Energy Management Suite Software Nov 21, 2024 Nov 8, 2018 N/A· v4 7.3 HIGH· v3 4.9 MEDIUM· v2 A vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. T...Show more A vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by convincing a user of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files within the affected application.Show less
CVE-2018-17186 1Apache 1Syncope Nov 21, 2024 Nov 6, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
CVE-2018-18980 1Zohocorp 2Manageengine Network Configuration Manager Manageengine Opmanager Nov 21, 2024 Nov 6, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For e...Show more An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.Show less
CVE-2018-1846 1Ibm 1Rational Engineering Lifecycle Manager Nov 21, 2024 Nov 2, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Rational Engineering Lifecycle Manager 5.0 through 5.0.2 and 6.0 through 6.0.6 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerabili...Show more IBM Rational Engineering Lifecycle Manager 5.0 through 5.0.2 and 6.0 through 6.0.6 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150945.Show less
CVE-2018-1835 1Ibm 1Daeja Viewone Nov 21, 2024 Nov 2, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Daeja ViewONE Professional, Standard & Virtual 5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive informat...Show more IBM Daeja ViewONE Professional, Standard & Virtual 5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150514.Show less
CVE-2018-17912 1Sauter Controls 1Case Suite Nov 21, 2024 Nov 2, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An XXE vulnerability exists in CASE Suite Versions 3.10 and prior when processing parameter entities, which may allow remote file disclosure.
CVE-2018-18737 1Douchat 1Douchat Nov 21, 2024 Oct 29, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An XXE issue was discovered in Douchat 4.0.4 because Data\notify.php calls simplexml_load_string. This can also be used for SSRF.
CVE-2018-18659 1Arcserve 1Udp Nov 21, 2024 Oct 26, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-19 Unauthenticated XXE in /management/UdpHttpService issue.
CVE-2018-1747 1Ibm 1Security Key Lifecycle Manager Nov 21, 2024 Oct 15, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive inf...Show more IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 148428.Show less
CVE-2018-1844 1Ibm 1Filenet Content Manager Nov 21, 2024 Oct 12, 2018 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or co...Show more IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150904.Show less
CVE-2018-12544 1Eclipse 1Vert.x Nov 21, 2024 Oct 10, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the E...Show more In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.Show less

Previous 1...474849...63 Next