Total
1154 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-27554 | 1 Ibm | 1 Websphere Application Server | 2025-01-24 | 6.3 Medium |
| IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249185. | ||||
| CVE-2024-5919 | 1 Paloaltonetworks | 1 Pan-os | 2025-01-24 | 6.5 Medium |
| A blind XML External Entities (XXE) injection vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker to exfiltrate arbitrary files from firewalls to an attacker controlled server. This attack requires network access to the firewall management interface. | ||||
| CVE-2024-49535 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2025-01-23 | 6.3 Medium |
| Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that allows an attacker to provide malicious XML input containing a reference to an external entity, potentially leading to unauthorized read access outside the Acrobat sandbox. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document. | ||||
| CVE-2024-42185 | 2025-01-23 | 2.5 Low | ||
| BigFix Patch Download Plug-ins are affected by an insecure package which is susceptible to XML injection attacks. This allows an attacker to exploit this vulnerability by injecting malicious XML content, which can lead to various issues including denial of service and unauthorized access. | ||||
| CVE-2023-2161 | 1 Schneider-electric | 1 Opc Factory Server | 2025-01-22 | 5 Medium |
| A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. | ||||
| CVE-2025-23195 | 2025-01-22 | 7.5 High | ||
| An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch. | ||||
| CVE-2024-3486 | 1 Microfocus | 1 Imanager | 2025-01-21 | 7.8 High |
| XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. This could lead to information disclosure and remote code execution. | ||||
| CVE-2024-3969 | 1 Microfocus | 1 Imanager | 2025-01-21 | 7.8 High |
| XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. This could lead to remote code execution by parsing untrusted XML payload | ||||
| CVE-2022-46300 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | 5.5 Medium |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | ||||
| CVE-2022-45468 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | 5.5 Medium |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | ||||
| CVE-2022-45121 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | 5.5 Medium |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | ||||
| CVE-2022-43512 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | 5.5 Medium |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | ||||
| CVE-2022-41696 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | 5.5 Medium |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | ||||
| CVE-2022-45876 | 1 Visam | 1 Vbase | 2025-01-17 | 5.5 Medium |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | ||||
| CVE-2022-41221 | 1 Opentext | 1 Archive Center Administration | 2025-01-17 | 7.1 High |
| The client in OpenText Archive Center Administration through 21.2 allows XXE attacks. Authenticated users of the OpenText Archive Center Administration client (Versions 16.2.3, 21.2, and older versions) could upload XML files to the application that it did not sufficiently validate. As a result, attackers could craft XML files that, when processed by the application, would cause a negative security impact such as data exfiltration or localized denial of service against the application instance and system of the user running it. | ||||
| CVE-2024-4357 | 1 Progress | 1 Telerik Reporting | 2025-01-16 | 6.5 Medium |
| An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing. | ||||
| CVE-2024-12298 | 2025-01-14 | 5.5 Medium | ||
| We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer. | ||||
| CVE-2023-34411 | 1 Xml Library Project | 1 Xml Library | 2025-01-08 | 7.5 High |
| The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9. | ||||
| CVE-2023-46590 | 1 Siemens | 1 Siemens Opc Ua Modeling Editor | 2025-01-08 | 7.5 High |
| A vulnerability has been identified in Siemens OPC UA Modelling Editor (SiOME) (All versions < V2.8). Affected products suffer from a XML external entity (XXE) injection vulnerability. This vulnerability could allow an attacker to interfere with an application's processing of XML data and read arbitrary files in the system. | ||||
| CVE-2023-24470 | 1 Microfocus | 1 Arcsight Logger | 2025-01-06 | 9.1 Critical |
| Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0. | ||||