Total
1093 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-30137 | 1 Axiossystems | 1 Assyst | 2024-11-21 | 6.4 MEDIUM | 7.7 HIGH |
| Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. The application allows users to send JSON or XML data to the server. It was possible to inject malicious XML data through several access points. | |||||
| CVE-2021-30006 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure. | |||||
| CVE-2021-2401 | 1 Oracle | 1 Bi Publisher | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle BI Publisher accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | |||||
| CVE-2021-29831 | 1 Ibm | 2 Jazz For Service Management, Tivoli Netcool\/omnibus Gui | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 204775. | |||||
| CVE-2021-29620 | 1 Reportportal | 1 Service-api | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery. This will be resolved in the 5.4.0 release. | |||||
| CVE-2021-29447 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 4.0 MEDIUM | 7.1 HIGH |
| Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled. | |||||
| CVE-2021-29421 | 2 Fedoraproject, Pikepdf Project | 2 Fedora, Pikepdf | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries. | |||||
| CVE-2021-29140 | 1 Arubanetworks | 1 Clearpass | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
| A remote XML external entity (XXE) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-28973 | 1 Perforce | 1 Helix Alm | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks. | |||||
| CVE-2021-28684 | 1 Powerarchiver | 1 Powerarchiver | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The XML parser used in ConeXware PowerArchiver before 20.10.02 allows processing of external entities, which might lead to exfiltration of local files over the network (via an XXE attack). | |||||
| CVE-2021-28110 | 1 Compassplus | 1 Tranzware E-commerce Payment Gateway | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| /exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser. | |||||
| CVE-2021-27931 | 1 Lumis | 1 Lumis Experience Platform | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service. | |||||
| CVE-2021-27777 | 1 Hcltech | 1 Unica | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references. | |||||
| CVE-2021-27741 | 1 Hcltechsw | 1 Hcl Commerce | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| " Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection" | |||||
| CVE-2021-27736 | 1 Fusionauth | 1 Saml V2 | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely. | |||||
| CVE-2021-27635 | 1 Sap | 1 Netweaver Application Server For Java | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity. | |||||
| CVE-2021-27604 | 1 Sap | 1 Netweaver Process Integration | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note. | |||||
| CVE-2021-27492 | 3 Datakit, Luxion, Siemens | 6 Crosscadware, Keyshot, Solid Edge Se2020 and 3 more | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| When opening a specially crafted 3DXML file, the application containing Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external DTD. | |||||
| CVE-2021-27184 | 1 Pelco | 1 Digital Sentry Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\Pelco directory) when DSControlPoint.exe is executed. | |||||
| CVE-2021-26969 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Due to improper restrictions on XML entities a vulnerability exists in the web-based management interface of AirWave. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition. | |||||