Total
1093 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-37200 | 1 Se | 1 Ecostruxure Opc Ua Server Expert | 2024-11-21 | N/A | 5.5 MEDIUM |
| A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server. | |||||
| CVE-2023-36419 | 1 Microsoft | 1 Azure Hdinsights | 2024-11-21 | N/A | 8.8 HIGH |
| Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability | |||||
| CVE-2023-35892 | 1 Ibm | 1 Financial Transaction Manager | 2024-11-21 | N/A | 7.1 HIGH |
| IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 258786. | |||||
| CVE-2023-35786 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-11-21 | N/A | 4.9 MEDIUM |
| Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files. | |||||
| CVE-2023-35389 | 1 Microsoft | 1 Dynamics 365 | 2024-11-21 | N/A | 6.5 MEDIUM |
| Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability | |||||
| CVE-2023-32706 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-11-21 | N/A | 7.7 HIGH |
| On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. | |||||
| CVE-2023-32639 | 1 Moj | 1 Applicant Programme | 2024-11-21 | N/A | 5.5 MEDIUM |
| Applicant Programme Ver.7.06 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2023-32635 | 1 Edinet-fsa | 1 Xbrl Data Create | 2024-11-21 | N/A | 5.5 MEDIUM |
| XBRL data create application version 7.0 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XBRL file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2023-32567 | 1 Ivanti | 1 Avalanche | 2024-11-21 | N/A | 9.8 CRITICAL |
| Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236 | |||||
| CVE-2023-32327 | 1 Ibm | 2 Security Verify Access, Security Verify Access Docker | 2024-11-21 | N/A | 7.1 HIGH |
| IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 254783. | |||||
| CVE-2023-30951 | 1 Palantir | 1 Magritte-rest-source-bundle | 2024-11-21 | N/A | 6.3 MEDIUM |
| The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE). | |||||
| CVE-2023-2806 | 1 Weaver | 1 E-cology | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability classified as problematic was found in Weaver e-cology up to 9.0. Affected by this vulnerability is the function RequestInfoByXml of the component API. The manipulation leads to xml external entity reference. The associated identifier of this vulnerability is VDB-229411. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-2161 | 1 Schneider-electric | 1 Opc Factory Server | 2024-11-21 | N/A | 5.0 MEDIUM |
| A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. | |||||
| CVE-2023-28828 | 1 Siemens | 1 Polarion Alm | 2024-11-21 | N/A | 5.9 MEDIUM |
| A vulnerability has been identified in Polarion ALM (All versions < V22R2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. | |||||
| CVE-2023-28009 | 1 Hcltech | 1 Workload Automation | 2024-11-21 | N/A | 6.5 MEDIUM |
| HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||
| CVE-2023-28008 | 1 Hcltech | 1 Workload Automation | 2024-11-21 | N/A | 7.1 HIGH |
| HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||
| CVE-2023-27876 | 1 Ibm | 1 Tririga Application Platform | 2024-11-21 | N/A | 7.1 HIGH |
| IBM TRIRIGA 4.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249975. | |||||
| CVE-2023-27874 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2024-11-21 | N/A | 9.9 CRITICAL |
| IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845. | |||||
| CVE-2023-27480 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 7.7 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch `e3527b98fd` manually. | |||||
| CVE-2023-27476 | 1 Osgeo | 1 Owslib | 2024-11-21 | N/A | 8.2 HIGH |
| OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details. | |||||