Total
992 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-8526 | 1 Hp | 1 Airwave | 2018-10-16 | 4.0 MEDIUM | 8.8 HIGH |
| Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation. | |||||
| CVE-2016-4312 | 1 Wso2 | 1 Identity Server | 2018-10-09 | 6.0 MEDIUM | 7.5 HIGH |
| XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials. | |||||
| CVE-2015-7326 | 1 Milton | 1 Webdav | 2018-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3. | |||||
| CVE-2015-7241 | 1 Sap | 1 Netweaver | 2018-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. | |||||
| CVE-2018-14473 | 1 Ocsinventory-ng | 1 Ocsinventory Ng | 2018-10-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service. | |||||
| CVE-2014-2296 | 1 Apereo | 1 Cas Server | 2018-09-19 | 6.8 MEDIUM | 8.8 HIGH |
| XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data. | |||||
| CVE-2018-14065 | 1 Phpoffice Project | 1 Common | 2018-09-12 | 7.5 HIGH | 9.8 CRITICAL |
| XMLReader.php in PHPOffice Common before 0.2.9 allows XXE. | |||||
| CVE-2018-13439 | 1 Tencent | 1 Wechat Pay | 2018-09-10 | 5.0 MEDIUM | 7.5 HIGH |
| WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL. | |||||
| CVE-2018-11640 | 1 Dialogic | 1 Powermedia Xms | 2018-09-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| XML External Entity (XXE) vulnerability in the web service in Dialogic PowerMedia XMS before 3.5 SU2 allows remote attackers to read arbitrary files or cause a denial of service (resource consumption). | |||||
| CVE-2018-1000614 | 1 Onosproject | 1 Onos | 2018-09-04 | 7.5 HIGH | 9.8 CRITICAL |
| ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message. | |||||
| CVE-2018-1000616 | 1 Onosproject | 1 Onos | 2018-09-04 | 7.5 HIGH | 9.8 CRITICAL |
| ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity. | |||||
| CVE-2018-1000540 | 1 Loboevolution Project | 1 Loboevolution | 2018-08-20 | 6.8 MEDIUM | 7.8 HIGH |
| LoboEvolution version < 9b75694cedfa4825d4a2330abf2719d470c654cd contains a XML External Entity (XXE) vulnerability in XML Parsing when viewing the XML file in the browser that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted XML file. | |||||
| CVE-2018-1000515 | 1 News-articles Project | 1 News-articles | 2018-08-20 | 5.0 MEDIUM | 7.5 HIGH |
| ventrian News-Articles version NewsArticles.00.09.11 contains a XML External Entity (XXE) vulnerability in News-Articles/API/MetaWebLog/Handler.ashx.vb that can result in Attacker can read any file in the server or use smbrelay attack to access to server.. | |||||
| CVE-2018-1000548 | 1 Umlet | 1 Umlet | 2018-08-20 | 6.8 MEDIUM | 7.8 HIGH |
| Umlet version < 14.3 contains a XML External Entity (XXE) vulnerability in File parsing that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted UXF file. This vulnerability appears to have been fixed in 14.3. | |||||
| CVE-2018-1000546 | 1 Triplea-game | 1 Triplea | 2018-08-20 | 6.8 MEDIUM | 7.8 HIGH |
| Triplea version <= 1.9.0.0.10291 contains a XML External Entity (XXE) vulnerability in Importing game data that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted game data file (XML). | |||||
| CVE-2018-1000542 | 1 Netbeans-mmd-plugin Project | 1 Netbeans-mmd-plugin | 2018-08-20 | 6.8 MEDIUM | 7.8 HIGH |
| netbeans-mmd-plugin version <= 1.4.3 contains a XML External Entity (XXE) vulnerability in MMD file import that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted MMD file. | |||||
| CVE-2017-3208 | 1 Themidnightcoders | 1 Weborb For Java | 2018-08-06 | 7.5 HIGH | 9.8 CRITICAL |
| The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery. | |||||
| CVE-2018-11586 | 1 Searchblox | 1 Searchblox | 2018-07-31 | 7.5 HIGH | 9.8 CRITICAL |
| XML external entity (XXE) vulnerability in api/rest/status in SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. | |||||
| CVE-2018-1456 | 1 Ibm | 2 Rational Rhapsody Design Manager, Rational Software Architect Design Manager | 2018-07-24 | 5.5 MEDIUM | 7.1 HIGH |
| IBM Rhapsody DM 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 140091. | |||||
| CVE-2018-1000198 | 1 Jenkins | 1 Black Duck Hub | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XML document. | |||||