Total
1093 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-0218 | 1 Cisco | 1 Secure Access Control Server Solution Engine | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
| A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70616. | |||||
| CVE-2018-0207 | 1 Cisco | 1 Secure Access Control Server Solution Engine | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
| A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70595. | |||||
| CVE-2018-0108 | 1 Cisco | 1 Webex Meetings Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to collect customer files via an out-of-band XML External Entity (XXE) injection. An attacker could exploit this vulnerability to gain information to conduct additional reconnaissance attacks. The vulnerability is due to the ability of an attacker to perform an out-of-band XXE injection on the system, which could allow an attacker to capture customer files and redirect them to another destination address. An exploit could allow the attacker to discover sensitive customer data. Cisco Bug IDs: CSCvg36996. | |||||
| CVE-2018-0100 | 1 Cisco | 1 Anyconnect Secure Mobility Client | 2024-11-21 | 3.6 LOW | 4.4 MEDIUM |
| A vulnerability in the Profile Editor of the Cisco AnyConnect Secure Mobility Client could allow an unauthenticated, local attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of the XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by injecting a crafted XML file with malicious entries, which could allow the attacker to read and write files. Cisco Bug IDs: CSCvg19341. | |||||
| CVE-2017-9362 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API. | |||||
| CVE-2017-8316 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml. | |||||
| CVE-2017-8315 | 1 Eclipse | 1 Ide | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier was found vulnerable to an XML External Entity attack. An attacker can exploit the vulnerability by implementing malicious code on Androidmanifest.xml. | |||||
| CVE-2017-7545 | 1 Redhat | 3 Decision Manager, Jboss Bpm Suite, Jbpm | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. | |||||
| CVE-2017-7465 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2024-11-21 | 7.5 HIGH | 9.0 CRITICAL |
| It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of a 'javax.xml.transform.TransformerFactory'. If the FEATURE_SECURE_PROCESSING feature is set to 'true', it mitigates this vulnerability. | |||||
| CVE-2017-7464 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2024-11-21 | 7.5 HIGH | 8.7 HIGH |
| It was found that the JAXP implementation used in JBoss EAP 7.0 for SAX and DOM parsing is vulnerable to certain XXE flaws. An attacker could use this flaw to cause DoS, SSRF, or information disclosure if they are able to provide XML content for parsing. | |||||
| CVE-2017-7426 | 1 Netiq | 1 Identity Manager | 2024-11-21 | 6.4 MEDIUM | 5.4 MEDIUM |
| The NetIQ Identity Manager Plugins before 4.6.1 contained various XML External XML Entity (XXE) handling flaws that could be used by attackers to leak information or cause denial of service attacks. | |||||
| CVE-2017-7375 | 3 Debian, Google, Xmlsoft | 3 Debian Linux, Android, Libxml2 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable). | |||||
| CVE-2017-6323 | 1 Symantec | 1 Management Console | 2024-11-21 | 5.2 MEDIUM | 8.0 HIGH |
| The Symantec Management Console prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6, and ITMS 7.6_POST_HF7 has an issue whereby XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. | |||||
| CVE-2017-5828 | 1 Hp | 1 Aruba Clearpass Policy Manager | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| An arbitrary command execution vulnerability in HPE Aruba ClearPass Policy Manager version 6.6.x was found. | |||||
| CVE-2017-3208 | 1 Themidnightcoders | 1 Weborb For Java | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery. | |||||
| CVE-2017-3206 | 1 Exadel | 1 Flamingo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery. | |||||
| CVE-2017-2815 | 1 Igniterealtime | 1 User Import Export | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. A specially crafted web request can cause the retrieval of arbitrary files or denial of service. An authenticated attacker can send a crafted web request to trigger this vulnerability. | |||||
| CVE-2017-20151 | 1 Itextpdf | 1 Rups | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability classified as problematic was found in iText RUPS. This vulnerability affects unknown code of the file src/main/java/com/itextpdf/rups/model/XfaFile.java. The manipulation leads to xml external entity reference. The patch is identified as ac5590925874ef810018a6b60fec216eee54fb32. It is recommended to apply a patch to fix this issue. VDB-217054 is the identifier assigned to this vulnerability. | |||||
| CVE-2017-1758 | 1 Ibm | 3 Control Center, Financial Transaction Manager, Transformation Extender Advanced | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
| IBM Financial Transaction Manager for ACH Services for Multi-Platform (IBM Control Center 6.0 and 6.1, IBM Financial Transaction Manager 3.0.2, 3.0.3, 3.0.4, and 3.1.0, IBM Transformation Extender Advanced 9.0) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 135859. | |||||
| CVE-2017-1666 | 1 Ibm | 1 Security Key Lifecycle Manager | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 133540. | |||||