Total
1116 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16303 | 1 Pdf-xchange | 1 Pdf-xchange Editor | 2024-11-27 | 5.0 MEDIUM | 7.5 HIGH |
| PDF-XChange Editor through 7.0.326.1 allows remote attackers to cause a denial of service (resource consumption) via a crafted x:xmpmeta structure, a related issue to CVE-2003-1564. | |||||
| CVE-2022-20938 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | N/A | 4.3 MEDIUM |
| A vulnerability in the module import function of the administrative interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view sensitive information. This vulnerability is due to insufficient validation of the XML syntax when importing a module. An attacker could exploit this vulnerability by supplying a specially crafted XML file to the function. A successful exploit could allow the attacker to read sensitive data that would normally not be revealed. | |||||
| CVE-2024-6961 | 2024-11-25 | N/A | 5.9 MEDIUM | ||
| RAIL documents are an XML-based format invented by Guardrails AI to enforce formatting checks on LLM outputs. Guardrails users that consume RAIL documents from external sources are vulnerable to XXE, which may cause leakage of internal file data via the SYSTEM entity. | |||||
| CVE-2024-10218 | 2024-11-22 | N/A | N/A | ||
| XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence | |||||
| CVE-2024-6893 | 1 Journyx | 1 Journyx | 2024-11-21 | N/A | 7.5 HIGH |
| The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources. | |||||
| CVE-2024-5625 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.This issue affects Apinizer Management Console: before 2024.05.1. | |||||
| CVE-2024-3930 | 1 Perforce | 1 Akana Api | 2024-11-21 | N/A | 6.3 MEDIUM |
| In versions of Akana API Platform prior to 2024.1.0 a flaw resulting in XML External Entity (XXE) was discovered. | |||||
| CVE-2024-38374 | 2024-11-21 | N/A | 7.5 HIGH | ||
| The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the schema version of the BOM. The `DocumentBuilderFactory` used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4. | |||||
| CVE-2024-37388 | 1 Dnkorpushov | 1 Ebookmeta | 2024-11-21 | N/A | 9.1 CRITICAL |
| An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input. | |||||
| CVE-2024-34345 | 2024-11-21 | N/A | 8.1 HIGH | ||
| The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1. | |||||
| CVE-2024-2826 | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as problematic was found in lakernote EasyAdmin up to 20240315. This vulnerability affects unknown code of the file /ureport/designer/saveReportFile. The manipulation leads to xml external entity reference. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257716. | |||||
| CVE-2024-29010 | 2024-11-21 | N/A | 7.1 HIGH | ||
| The XML document processed in the GMS ECM URL endpoint is vulnerable to XML external entity (XXE) injection, potentially resulting in the disclosure of sensitive information. This issue affects GMS: 9.3.4 and earlier versions. | |||||
| CVE-2024-28168 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP. This issue affects Apache XML Graphics FOP: 2.9. Users are recommended to upgrade to version 2.10, which fixes the issue. | |||||
| CVE-2024-28039 | 2024-11-21 | N/A | 5.8 MEDIUM | ||
| Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition. | |||||
| CVE-2024-27266 | 1 Ibm | 1 Maximo Application Suite | 2024-11-21 | N/A | 8.2 HIGH |
| IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 284566. | |||||
| CVE-2024-24743 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | N/A | 8.6 HIGH |
| SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected. | |||||
| CVE-2024-22354 | 2024-11-21 | N/A | 7.0 HIGH | ||
| IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401. | |||||
| CVE-2024-21796 | 1 Dfeg | 1 Electronic Deliverables Creation Support Tool | 2024-11-21 | N/A | 5.5 MEDIUM |
| Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2024-1167 | 1 Seweurodrive | 1 Movitools Motionstudio | 2024-11-21 | N/A | 5.5 MEDIUM |
| When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur. | |||||
| CVE-2023-6836 | 1 Wso2 | 7 Api Manager, Api Manager Analytics, Api Microgateway and 4 more | 2024-11-21 | N/A | 4.6 MEDIUM |
| Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information. | |||||