Total
1093 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16166 | 1 Jpcert | 1 Logontracer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | |||||
| CVE-2018-15805 | 1 Accusoft | 1 Prizmdoc | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption). | |||||
| CVE-2018-15531 | 1 Javamelody Project | 1 Javamelody | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java. | |||||
| CVE-2018-15506 | 1 Bubblesoftapps | 1 Bubbleupnp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2018-15444 | 1 Cisco | 1 Energy Management Suite Software | 2024-11-21 | 4.9 MEDIUM | 6.3 MEDIUM |
| A vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by convincing a user of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files within the affected application. | |||||
| CVE-2018-15362 | 1 Ge | 1 Cimplicity | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0 | |||||
| CVE-2018-14720 | 4 Debian, Fasterxml, Oracle and 1 more | 12 Debian Linux, Jackson-databind, Banking Platform and 9 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. | |||||
| CVE-2018-14485 | 1 Blogengine | 1 Blogengine.net | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd. | |||||
| CVE-2018-14473 | 1 Ocsinventory-ng | 1 Ocsinventory Ng | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service. | |||||
| CVE-2018-14383 | 1 Ttpsc | 1 The Scheduler | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. It was fixed in the versions 5.2.1 and 3.3.7 | |||||
| CVE-2018-14065 | 1 Phpoffice Project | 1 Common | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| XMLReader.php in PHPOffice Common before 0.2.9 allows XXE. | |||||
| CVE-2018-13826 | 2 Broadcom, Ca | 2 Project Portfolio Management, Project Portfolio Management | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to conduct server side request forgery attacks. | |||||
| CVE-2018-13823 | 2 Broadcom, Ca | 2 Project Portfolio Management, Project Portfolio Management | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to access sensitive information. | |||||
| CVE-2018-13439 | 1 Tencent | 1 Wechat Pay | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL. | |||||
| CVE-2018-13417 | 1 Vuze | 1 Bittorrent Client | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Vuze, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2018-13416 | 1 Spirton | 1 Universal Media Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Universal Media Server (UMS) 7.1.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running UMS, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2018-13415 | 1 Plex | 1 Media Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Plex, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2018-12585 | 1 Opcfoundation | 2 Ua-.net-legacy, Ua-java | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
| An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allow remote attackers to trigger a denial of service. | |||||
| CVE-2018-12544 | 1 Eclipse | 1 Vert.x | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema. | |||||
| CVE-2018-12471 | 1 Suse | 1 Subscription Management Tool | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| A External Entity Reference ('XXE') vulnerability in SUSE Linux SMT allows remote attackers to read data from the server or cause DoS by referencing blocking elements. Affected releases are SUSE Linux SMT: versions prior to 3.0.37. | |||||