Total
992 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-3481 | 1 Hp | 1 Arcsight Logger | 2023-11-07 | 7.5 HIGH | 7.1 HIGH |
| Mitigates a XML External Entity Parsing issue in ArcSight Logger versions prior to 6.7. | |||||
| CVE-2019-20191 | 1 Sync | 3 Oxygen Xml Author, Oxygen Xml Developer, Oxygen Xml Editor | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Oxygen XML Editor 21.1.1 allows XXE to read any file. | |||||
| CVE-2019-18943 | 1 Microfocus | 1 Solutions Business Manager | 2023-11-07 | 5.2 MEDIUM | 8.0 HIGH |
| Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations. | |||||
| CVE-2019-17554 | 1 Apache | 1 Olingo | 2023-11-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks. | |||||
| CVE-2019-17085 | 1 Microfocus | 1 Operations Agent | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| XXE attack vulnerability on Micro Focus Operations Agent, affected version 12.0, 12.01, 12.02, 12.03, 12.04, 12.05, 12.06, 12.10, 12.11. The vulnerability could be exploited to do an XXE attack on Operations Agent. | |||||
| CVE-2019-12415 | 2 Apache, Oracle | 27 Poi, Application Testing Suite, Banking Enterprise Originations and 24 more | 2023-11-07 | 2.1 LOW | 5.5 MEDIUM |
| In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing. | |||||
| CVE-2019-10782 | 1 Checkstyle | 1 Checkstyle | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658. | |||||
| CVE-2019-10080 | 1 Apache | 1 Nifi | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses. | |||||
| CVE-2019-0228 | 3 Apache, Fedoraproject, Oracle | 14 James, Pdfbox, Fedora and 11 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. | |||||
| CVE-2019-0188 | 2 Apache, Oracle | 5 Camel, Enterprise Data Quality, Enterprise Manager Base Platform and 2 more | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed. | |||||
| CVE-2018-9116 | 1 Wiremock | 1 Wiremock | 2023-11-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XXE vulnerability within WireMock before 2.16.0 allows a remote unauthenticated attacker to access local files and internal resources and potentially cause a Denial of Service. | |||||
| CVE-2018-8027 | 1 Apache | 1 Camel | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor. | |||||
| CVE-2018-8010 | 1 Apache | 1 Solr | 2023-11-07 | 2.1 LOW | 5.5 MEDIUM |
| This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr's ResourceLoader); usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs. | |||||
| CVE-2018-6670 | 1 Mcafee | 1 Common Catalog | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| External Entity Attack vulnerability in the ePO extension in McAfee Common UI (CUI) 2.0.2 allows remote authenticated users to view confidential information via a crafted HTTP request parameter. | |||||
| CVE-2018-6489 | 1 Microfocus | 1 Project And Portfolio Management Center | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability can be exploited to allow XML External Entity (XXE) | |||||
| CVE-2018-6486 | 1 Microfocus | 2 Fortify Audit Workbench, Fortify Software Security Center | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection. | |||||
| CVE-2018-20843 | 7 Canonical, Debian, Fedoraproject and 4 more | 9 Ubuntu Linux, Debian Linux, Fedora and 6 more | 2023-11-07 | 7.8 HIGH | 7.5 HIGH |
| In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). | |||||
| CVE-2018-20433 | 2 Debian, Mchange | 2 Debian Linux, C3p0 | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization. | |||||
| CVE-2018-1308 | 2 Apache, Debian | 2 Solr, Debian Linux | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. | |||||
| CVE-2018-1285 | 4 Apache, Fedoraproject, Netapp and 1 more | 7 Log4net, Fedora, Manageability Software Development Kit and 4 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. | |||||