Total
992 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-7847 | 3 Adobe, Linux, Microsoft | 3 Campaign, Linux Kernel, Windows | 2019-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user. | |||||
| CVE-2019-13625 | 1 Nsa | 1 Ghidra | 2019-07-19 | 9.4 HIGH | 9.1 CRITICAL |
| NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file. | |||||
| CVE-2018-17152 | 1 Intersystems | 1 Cache | 2019-07-12 | 5.5 MEDIUM | 6.4 MEDIUM |
| Intersystems Cache 2017.2.2.865.0 allows XXE. | |||||
| CVE-2015-3907 | 1 Codeigniter-restserver Project | 1 Codeigniter-restserver | 2019-07-11 | 7.5 HIGH | 9.8 CRITICAL |
| CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE attacks. | |||||
| CVE-2016-6256 | 1 Sap | 1 Business One | 2019-07-08 | 6.8 MEDIUM | 9.6 CRITICAL |
| SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065. | |||||
| CVE-2018-1000844 | 1 Squareup | 1 Retrofit | 2019-07-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437. | |||||
| CVE-2018-18406 | 1 Tufin | 2 Securetrack, Tufinos | 2019-06-24 | 6.5 MEDIUM | 9.9 CRITICAL |
| An issue was discovered in Tufin SecureTrack 18.1 with TufinOS 2.16 build 1179(Final). The Audit Report module is affected by a blind XXE vulnerability when a new Best Practices Report is saved using a special payload inside the xml input field. The XXE vulnerability is blind since the response doesn't directly display a requested file, but rather returns it inside the name data field when the report is saved. An attacker is able to view restricted operating system files. This issue affects all types of users: administrators or normal users. | |||||
| CVE-2019-11392 | 1 Dotnetblogengine | 1 Blogengine.net | 2019-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd. | |||||
| CVE-2019-10718 | 1 Dotnetblogengine | 1 Blogengine.net | 2019-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs. | |||||
| CVE-2018-15506 | 1 Bubblesoftapps | 1 Bubbleupnp | 2019-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2019-12154 | 1 Realobjects | 1 Pdfreactor | 2019-06-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| XXE in the XML parser library in RealObjects PDFreactor before 10.1.10722 allows attackers to supply malicious XML content in externally referenced resources, leading to disclosure of local file contents and/or denial of service conditions. | |||||
| CVE-2018-20160 | 1 Synacor | 1 Zimbra Collaboration Suite | 2019-05-30 | 7.5 HIGH | 9.8 CRITICAL |
| ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd. | |||||
| CVE-2018-8940 | 1 Enghouse | 1 Contact Center\ | 2019-05-15 | 7.5 HIGH | 9.8 CRITICAL |
| ClientServiceConfigController.cs in Enghouse Cloud Contact Center Platform 7.2.5 has functionality for loading external XML files and parsing them, allowing an attacker to upload a malicious XML file and reference it in the URL of the application, forcing the application to load and parse the malicious XML file, aka an XXE issue. | |||||
| CVE-2018-20664 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2019-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license. | |||||
| CVE-2019-7442 | 1 Cyberark | 1 Enterprise Password Vault | 2019-05-10 | 7.5 HIGH | 9.8 CRITICAL |
| An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system. | |||||
| CVE-2018-0878 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2019-05-08 | 2.6 LOW | 3.1 LOW |
| Windows Remote Assistance in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to how XML External Entities (XXE) are processed, aka "Windows Remote Assistance Information Disclosure Vulnerability". | |||||
| CVE-2018-14485 | 1 Blogengine | 1 Blogengine.net | 2019-05-08 | 7.5 HIGH | 9.8 CRITICAL |
| BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd. | |||||
| CVE-2017-1458 | 1 Ibm | 1 Qradar Network Security | 2019-05-06 | 5.5 MEDIUM | 8.1 HIGH |
| IBM QRadar Network Security 5.4 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128377. | |||||
| CVE-2019-11677 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2019-05-03 | 7.5 HIGH | 9.8 CRITICAL |
| The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection. | |||||
| CVE-2019-11519 | 1 Nopcommerce | 1 Nopcommerce | 2019-05-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen. | |||||