Total
1093 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36773 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-11-21 | N/A | 8.1 HIGH |
| IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233571. | |||||
| CVE-2022-35741 | 1 Apache | 1 Cloudstack | 2024-11-21 | N/A | 9.8 CRITICAL |
| Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server. | |||||
| CVE-2022-35168 | 1 Sap | 1 Business One | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative. | |||||
| CVE-2022-34832 | 1 Vermeg | 1 Agile Reporter | 2024-11-21 | N/A | 6.5 MEDIUM |
| An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component. | |||||
| CVE-2022-34793 | 1 Jenkins | 1 Recipe | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-34348 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2024-11-21 | N/A | 7.1 HIGH |
| IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017. | |||||
| CVE-2022-34001 | 1 Unit4 | 1 Enterprise Resource Planning | 2024-11-21 | N/A | 6.5 MEDIUM |
| Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously. | |||||
| CVE-2022-32755 | 1 Ibm | 3 Security Directory Server, Security Directory Suite, Security Verify Directory | 2024-11-21 | N/A | 5.5 MEDIUM |
| IBM Security Directory Server 6.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228505. | |||||
| CVE-2022-32458 | 1 Digiwin | 1 Business Process Management | 2024-11-21 | N/A | 7.5 HIGH |
| Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files. | |||||
| CVE-2022-32285 | 1 Mendix | 1 Saml | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances. | |||||
| CVE-2022-31775 | 1 Ibm | 1 Datapower Gateway | 2024-11-21 | N/A | 9.1 CRITICAL |
| IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359. | |||||
| CVE-2022-31678 | 1 Vmware | 2 Cloud Foundation, Nsx Data Center | 2024-11-21 | N/A | 9.1 CRITICAL |
| VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure. | |||||
| CVE-2022-31471 | 1 Untangle Project | 1 Untangle | 2024-11-21 | N/A | 7.5 HIGH |
| untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files. | |||||
| CVE-2022-31447 | 1 Magicpin | 1 Magicpin | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An XML external entity (XXE) injection vulnerability in Magicpin v3.4 allows attackers to access sensitive database information via a crafted SVG file. | |||||
| CVE-2022-31261 | 1 Morpheusdata | 1 Morpheus | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker can send a request crafted with an XXE payload to invoke a malicious DTD hosted on a system that they control. This results in reading local files that the application has access to. | |||||
| CVE-2022-30971 | 1 Jenkins | 1 Storable Configs | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-2838 | 1 Eclipse | 1 Sphinx | 2024-11-21 | N/A | 5.3 MEDIUM |
| In Eclipse Sphinxâ„¢ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests. | |||||
| CVE-2022-2759 | 1 Deltaww | 1 Delta Robot Automation Studio | 2024-11-21 | N/A | 5.5 MEDIUM |
| Delta Electronics Delta Robot Automation Studio (DRAS) versions prior to 1.13.20 are affected by improper restrictions where the software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. This may allow an attacker to view sensitive documents and information on the affected host. | |||||
| CVE-2022-2458 | 1 Redhat | 1 Process Automation Manager | 2024-11-21 | N/A | 8.2 HIGH |
| XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction & Internal file read in Business Central and also Kie-Server APIs. | |||||
| CVE-2022-2414 | 1 Dogtagpki | 1 Dogtagpki | 2024-11-21 | N/A | 7.5 HIGH |
| Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests. | |||||