Total
992 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-17912 | 1 Sauter-controls | 1 Case Suite | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| An XXE vulnerability exists in CASE Suite Versions 3.10 and prior when processing parameter entities, which may allow remote file disclosure. | |||||
| CVE-2018-17889 | 1 We-con | 2 Pi Studio, Pi Studio Hmi | 2019-10-09 | 4.3 MEDIUM | 5.3 MEDIUM |
| In WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior and PI Studio versions 4.2.34 and prior when parsing project files, the XMLParser that ships with Wecon PIStudio is vulnerable to a XML external entity injection attack, which may allow sensitive information disclosure. | |||||
| CVE-2018-17247 | 1 Elastic | 1 Elasticsearch | 2019-10-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to. | |||||
| CVE-2018-15444 | 1 Cisco | 1 Energy Management Suite Software | 2019-10-09 | 4.9 MEDIUM | 7.3 HIGH |
| A vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by convincing a user of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files within the affected application. | |||||
| CVE-2018-12408 | 1 Tibco | 2 Activematrix Businessworks, Activematrix Businessworks Distribution For Tibco Silver Fabric | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| The BusinessWorks engine component of TIBCO Software Inc.'s TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux, and TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric contains a vulnerability that may allow XML eXternal Entity (XXE) attacks via incoming network messages, and may disclose the contents of files accessible to a running BusinessWorks engine Affected releases are TIBCO Software Inc. TIBCO ActiveMatrix BusinessWorks: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks for z/Linux: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric: versions up to and including 5.13.0. | |||||
| CVE-2018-10614 | 1 We-con | 1 Levistudiou | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| An XXE vulnerability in LeviStudioU, Versions 1.8.29 and 1.8.44 can be exploited when the application processes specially crafted project XML files. | |||||
| CVE-2018-10613 | 1 Ge | 1 Mds Pulsenet | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior. | |||||
| CVE-2018-10600 | 1 Selinc | 1 Acselerator Architect | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| SEL AcSELerator Architect version 2.2.24.0 and prior allows unsanitized input to be passed to the XML parser, which may allow disclosure and retrieval of arbitrary data, arbitrary code execution (in certain situations on specific platforms), and denial of service attacks. | |||||
| CVE-2018-0414 | 1 Cisco | 1 Secure Access Control Server Solution Engine | 2019-10-09 | 3.5 LOW | 5.7 MEDIUM |
| A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. | |||||
| CVE-2018-0108 | 1 Cisco | 1 Webex Meetings Server | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to collect customer files via an out-of-band XML External Entity (XXE) injection. An attacker could exploit this vulnerability to gain information to conduct additional reconnaissance attacks. The vulnerability is due to the ability of an attacker to perform an out-of-band XXE injection on the system, which could allow an attacker to capture customer files and redirect them to another destination address. An exploit could allow the attacker to discover sensitive customer data. Cisco Bug IDs: CSCvg36996. | |||||
| CVE-2018-0100 | 1 Cisco | 1 Anyconnect Secure Mobility Client | 2019-10-09 | 3.6 LOW | 4.4 MEDIUM |
| A vulnerability in the Profile Editor of the Cisco AnyConnect Secure Mobility Client could allow an unauthenticated, local attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of the XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by injecting a crafted XML file with malicious entries, which could allow the attacker to read and write files. Cisco Bug IDs: CSCvg19341. | |||||
| CVE-2017-7545 | 1 Redhat | 3 Decision Manager, Jboss Bpm Suite, Jbpm | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. | |||||
| CVE-2017-3206 | 1 Exadel | 1 Flamingo | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery. | |||||
| CVE-2017-12216 | 1 Cisco | 1 Socialminer | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based user interface of Cisco SocialMiner could allow an unauthenticated, remote attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files and execute remote code within the application. Cisco Bug IDs: CSCvf47946. | |||||
| CVE-2016-9491 | 1 Zohocorp | 1 Manageengine Applications Manager | 2019-10-09 | 6.8 MEDIUM | 4.9 MEDIUM |
| ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system. | |||||
| CVE-2016-9487 | 1 W3 | 1 Epubcheck | 2019-10-09 | 6.8 MEDIUM | 7.8 HIGH |
| EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities. | |||||
| CVE-2015-2125 | 1 Hp | 1 Webinspect | 2019-10-09 | 4.0 MEDIUM | N/A |
| Unspecified vulnerability in HP WebInspect 7.x through 10.4 before 10.4 update 1 allows remote authenticated users to bypass intended access restrictions via unknown vectors. | |||||
| CVE-2015-9280 | 1 Mailenable | 1 Mailenable | 2019-10-03 | 5.0 MEDIUM | 10.0 CRITICAL |
| MailEnable before 8.60 allows XXE via an XML document in the request.aspx Options parameter. | |||||
| CVE-2017-8710 | 1 Microsoft | 2 Windows 7, Windows Server 2008 | 2019-10-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input containing a reference to an external entity, aka "Windows Information Disclosure Vulnerability". | |||||
| CVE-2017-3548 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2019-10-03 | 6.4 MEDIUM | 6.5 MEDIUM |
| Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L). | |||||