Total
992 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-2115 | 1 Jenkins | 1 Nunit | 2023-10-25 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-2108 | 1 Jenkins | 1 Websphere Deployer | 2023-10-25 | 6.5 MEDIUM | 7.6 HIGH |
| Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions. | |||||
| CVE-2020-2092 | 1 Jenkins | 1 Robot Framework | 2023-10-25 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Robot Framework Plugin 2.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing users with Job/Configure to have Jenkins parse crafted XML documents. | |||||
| CVE-2019-16549 | 1 Jenkins | 1 Maven | 2023-10-25 | 6.8 MEDIUM | 8.1 HIGH |
| Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents. | |||||
| CVE-2019-10466 | 1 Jenkins | 1 360 Fireline | 2023-10-25 | 5.5 MEDIUM | 8.1 HIGH |
| An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2019-10337 | 1 Jenkins | 1 Token Macro | 2023-10-25 | 5.0 MEDIUM | 7.5 HIGH |
| An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2019-10327 | 1 Jenkins | 1 Pipeline Maven Integration | 2023-10-25 | 5.5 MEDIUM | 8.1 HIGH |
| An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2019-10309 | 1 Jenkins | 1 Self-organizing Swarm Modules | 2023-10-25 | 4.8 MEDIUM | 9.3 CRITICAL |
| Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients. | |||||
| CVE-2019-1003015 | 1 Jenkins | 1 Job Import | 2023-10-25 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc. | |||||
| CVE-2023-45727 | 1 Northgrid | 1 Proself | 2023-10-25 | N/A | 7.5 HIGH |
| Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker. | |||||
| CVE-2022-28890 | 1 Apache | 1 Jena | 2023-10-25 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities. | |||||
| CVE-2022-32755 | 1 Ibm | 3 Security Directory Server, Security Directory Suite, Security Verify Directory | 2023-10-18 | N/A | 9.1 CRITICAL |
| IBM Security Directory Server 6.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228505. | |||||
| CVE-2020-26513 | 1 Intland | 1 Codebeamer | 2023-10-18 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The ReqIF XML data, used by the codebeamer ALM application to import projects, is parsed by insecurely configured software components, which can be abused for XML External Entity Attacks. | |||||
| CVE-2023-45612 | 1 Jetbrains | 1 Ktor | 2023-10-12 | N/A | 9.8 CRITICAL |
| In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE | |||||
| CVE-2023-42132 | 1 Mhlw | 1 Fd Application | 2023-10-03 | N/A | 5.5 MEDIUM |
| FD Application Apr. 2022 Edition (Version 9.01) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2021-45096 | 1 Knime | 1 Knime Analytics Platform | 2023-09-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730. | |||||
| CVE-2020-25215 | 1 Yworks | 1 Yed | 2023-09-28 | 7.5 HIGH | 9.8 CRITICAL |
| yWorks yEd Desktop before 3.20.1 allows XXE attacks via an XML or GraphML document. | |||||
| CVE-2023-38343 | 1 Ivanti | 1 Endpoint Manager | 2023-09-25 | N/A | 7.5 HIGH |
| An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery. | |||||
| CVE-2023-3892 | 1 Mimsoftware | 2 Assistant, Client | 2023-09-22 | N/A | 7.4 HIGH |
| Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this document into specific 3rd party private RTst metadata tags, transfer the now compromised DICOM object to MIM, and force MIM to archive and load the data. Users on either version are strongly encouraged to update to an unaffected version (7.2.11+, 7.3.4+). This issue was found and analyzed by MIM Software's internal security team. We are unaware of any proof of concept or actual exploit available in the wild. For more information, visit https://www.mimsoftware.com/cve-2023-3892 https://www.mimsoftware.com/cve-2023-3892 This issue affects MIM Assistant: 7.2.10, 7.3.3; MIM Client: 7.2.10, 7.3.3. | |||||
| CVE-2023-41369 | 1 Sap | 1 S\/4 Hana | 2023-09-14 | N/A | 4.3 MEDIUM |
| The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser. | |||||