Total
1095 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13940 | 1 Apache | 1 Nifi | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE). | |||||
| CVE-2020-13883 | 1 Wso2 | 3 Api Manager, Api Microgateway, Identity Server As Key Manager | 2024-11-21 | 6.5 MEDIUM | 6.7 MEDIUM |
| In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle. | |||||
| CVE-2020-13692 | 5 Debian, Fedoraproject, Netapp and 2 more | 5 Debian Linux, Fedora, Steelstore Cloud Integrated Storage and 2 more | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
| PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. | |||||
| CVE-2020-12719 | 1 Wso2 | 7 Api Manager, Api Manager Analytics, Api Microgateway and 4 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier. | |||||
| CVE-2020-12684 | 1 Inetsoftware | 1 I-net Clear Reports | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| XXE injection can occur in i-net Clear Reports 2019 19.0.287 (Designer), as used in i-net HelpDesk and other products, when XML input containing a reference to an external entity is processed by a weakly configured XML parser. | |||||
| CVE-2020-12642 | 1 Reportportal | 1 Service-api | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import. | |||||
| CVE-2020-12025 | 1 Rockwellautomation | 1 Studio 5000 Logix Designer | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
| Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program. | |||||
| CVE-2020-11991 | 1 Apache | 1 Cocoon | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system. | |||||
| CVE-2020-11885 | 1 Wso2 | 1 Enterprise Integrator | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file. | |||||
| CVE-2020-11586 | 1 Cipplanner | 1 Cipace | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that contains malicious XML DTD data. | |||||
| CVE-2020-11541 | 1 Techsmith | 1 Snagit | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| In TechSmith SnagIt 11.2.1 through 20.0.3, an XML External Entity (XXE) injection issue exists that would allow a local attacker to exfiltrate data under the local Administrator account. | |||||
| CVE-2020-10993 | 1 Osmand | 1 Osmand | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java. | |||||
| CVE-2020-10992 | 1 Azkaban Project | 1 Azkaban | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java. | |||||
| CVE-2020-10991 | 1 Mulesoft | 1 Aplkit | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java | |||||
| CVE-2020-10990 | 1 Accenture | 1 Mercury | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component. | |||||
| CVE-2020-10799 | 1 Svglib Project | 1 Svglib | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call. | |||||
| CVE-2020-10683 | 5 Canonical, Dom4j Project, Netapp and 2 more | 38 Ubuntu Linux, Dom4j, Oncommand Api Services and 35 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. | |||||
| CVE-2020-10629 | 1 Advantech | 1 Webaccess\/nms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. Specially crafted XML input could allow an attacker to read sensitive files. | |||||
| CVE-2019-9843 | 1 Diffplug | 2 Gradle, Maven | 2024-11-21 | 5.1 MEDIUM | 7.5 HIGH |
| In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file. | |||||
| CVE-2019-9761 | 1 Phpshe | 1 Phpshe | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An XXE issue was discovered in PHPSHE 1.7, which can be used to read any file in the system or scan the internal network without authentication. This occurs because of the call to wechat_getxml in include/plugin/payment/wechat/notify_url.php. | |||||