Total
992 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43990 | 1 Fanuc | 1 Roboguide | 2022-10-17 | 2.6 LOW | 5.3 MEDIUM |
| The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call. | |||||
| CVE-2019-6179 | 1 Lenovo | 2 Xclarity Administrator, Xclarity Integrator | 2022-10-14 | 5.0 MEDIUM | 7.5 HIGH |
| An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure. | |||||
| CVE-2020-6238 | 1 Sap | 1 Commerce Cloud | 2022-10-06 | 6.4 MEDIUM | 9.3 CRITICAL |
| SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce. | |||||
| CVE-2022-42307 | 1 Veritas | 1 Netbackup | 2022-10-04 | N/A | 9.8 CRITICAL |
| An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service. | |||||
| CVE-2022-42301 | 1 Veritas | 1 Netbackup | 2022-10-04 | N/A | 8.8 HIGH |
| An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) injection attack through the nbars process. | |||||
| CVE-2020-15772 | 1 Gradle | 1 Enterprise | 2022-09-30 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities (XXE), allowing a remote attacker with administrative access to perform server side request forgery. | |||||
| CVE-2022-34348 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2022-09-27 | N/A | 7.1 HIGH |
| IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017. | |||||
| CVE-2022-1700 | 1 Forcepoint | 5 Cloud Security Gateway, Data Loss Prevention, Email Security and 2 more | 2022-09-15 | N/A | 9.8 CRITICAL |
| Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security with DLP enabled, and Cloud Security Gateway prior to June 20, 2022. The XML parser in the Policy Engine was found to be improperly configured to support external entities and external DTD (Document Type Definitions), which can lead to an XXE attack. This issue affects: Forcepoint Data Loss Prevention (DLP) versions prior to 8.8.2. Forcepoint One Endpoint (F1E) with Policy Engine versions prior to 8.8.2. Forcepoint Web Security Content Gateway versions prior to 8.5.5. Forcepoint Email Security with DLP enabled versions prior to 8.5.5. Forcepoint Cloud Security Gateway prior to June 20, 2022. | |||||
| CVE-2022-32458 | 1 Digiwin | 1 Business Process Management | 2022-09-14 | N/A | 7.5 HIGH |
| Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files. | |||||
| CVE-2022-37189 | 1 Ddmal | 1 Mei2volpiano | 2022-09-10 | N/A | 7.5 HIGH |
| DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe 'xml.etree' library to parse untrusted XML input. | |||||
| CVE-2022-22835 | 1 Overit | 1 Geocall | 2022-09-03 | 3.5 LOW | 6.5 MEDIUM |
| An issue was discovered in OverIT Geocall before version 8.0. An authenticated user who has the Test Trasformazione XSL functionality enabled can exploit a XXE vulnerability to read arbitrary files from the filesystem. | |||||
| CVE-2022-2759 | 1 Deltaww | 1 Delta Robot Automation Studio | 2022-09-02 | N/A | 8.6 HIGH |
| Delta Electronics Delta Robot Automation Studio (DRAS) versions prior to 1.13.20 are affected by improper restrictions where the software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. This may allow an attacker to view sensitive documents and information on the affected host. | |||||
| CVE-2020-25020 | 2 Mpxj, Oracle | 2 Mpxj, Primavera Unifier | 2022-09-02 | 7.5 HIGH | 9.8 CRITICAL |
| MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components. | |||||
| CVE-2022-22489 | 3 Ibm, Linux, Microsoft | 3 Mq, Linux Kernel, Windows | 2022-08-22 | N/A | 9.1 CRITICAL |
| IBM MQ 8.0, (9.0, 9.1, 9.2 LTS), and (9.1 and 9.2 CD) are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226339. | |||||
| CVE-2020-14379 | 1 Redhat | 1 Jboss A-mq | 2022-08-17 | N/A | 5.6 MEDIUM |
| A flaw was found in Red Hat AMQ Broker in a way that a XEE attack can be done via Broker's configuration files, leading to denial of service and information disclosure. | |||||
| CVE-2020-21641 | 1 Zohocorp | 1 Manageengine Analytics Plus | 2022-08-16 | N/A | 7.5 HIGH |
| Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file. | |||||
| CVE-2022-1704 | 1 Inductiveautomation | 1 Ignition | 2022-08-11 | N/A | 9.8 CRITICAL |
| Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup. | |||||
| CVE-2021-27777 | 1 Hcltech | 1 Unica | 2022-08-06 | 5.0 MEDIUM | 7.5 HIGH |
| XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references. | |||||
| CVE-2022-27873 | 1 Autodesk | 1 Fusion 360 | 2022-08-05 | N/A | 7.8 HIGH |
| An attacker can force the victim’s device to perform arbitrary HTTP requests in WAN through a malicious SVG file being parsed by Autodesk Fusion 360’s document parser. The vulnerability exists in the application’s ‘Insert SVG’ procedure. An attacker can also leverage this vulnerability to obtain victim’s public IP and possibly other sensitive information. | |||||
| CVE-2021-42537 | 1 Visam | 1 Vbase Web-remote | 2022-08-05 | N/A | 7.5 HIGH |
| VISAM VBASE version 11.6.0.6 processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. | |||||