Total
1155 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-42194 | 1 Eyoucms | 1 Eyoucms | 2024-11-21 | 7.2 High |
| The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (XXE) injection vulnerability. | ||||
| CVE-2021-41770 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | 7.5 High |
| Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure. | ||||
| CVE-2021-41411 | 1 Redhat | 1 Drools | 2024-11-21 | 9.8 Critical |
| drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability. | ||||
| CVE-2021-41098 | 1 Nokogiri | 1 Nokogiri | 2024-11-21 | 7.5 High |
| Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected. | ||||
| CVE-2021-41042 | 1 Eclipse | 1 Lyo | 2024-11-21 | 5.3 Medium |
| In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved. | ||||
| CVE-2021-40722 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2024-11-21 | 9.8 Critical |
| AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE. | ||||
| CVE-2021-40510 | 1 Obdasystems | 1 Mastro | 2024-11-21 | 7.5 High |
| XML eXternal Entity (XXE) in OBDA systems’ Mastro 1.0 allows remote attackers to read system files via custom DTDs. | ||||
| CVE-2021-40500 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | 7.5 High |
| SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can enable the attacker to retrieve arbitrary files from the server. | ||||
| CVE-2021-40439 | 1 Apache | 1 Openoffice | 2024-11-21 | 6.5 Medium |
| Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a "Billion Laughs" entity expansion denial of service attack and exploit via crafted XML files. ODF files consist of a set of XML files. All versions of Apache OpenOffice up to 4.1.10 are subject to this issue. expat in version 4.1.11 is patched. | ||||
| CVE-2021-40356 | 1 Siemens | 1 Teamcenter Visualization | 2024-11-21 | 7.5 High |
| A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. | ||||
| CVE-2021-3878 | 1 Stanford | 1 Corenlp | 2024-11-21 | 9.8 Critical |
| corenlp is vulnerable to Improper Restriction of XML External Entity Reference | ||||
| CVE-2021-3869 | 1 Stanford | 1 Corenlp | 2024-11-21 | 7.5 High |
| corenlp is vulnerable to Improper Restriction of XML External Entity Reference | ||||
| CVE-2021-3836 | 1 Dbeaver | 1 Dbeaver | 2024-11-21 | 5.5 Medium |
| dbeaver is vulnerable to Improper Restriction of XML External Entity Reference | ||||
| CVE-2021-3312 | 1 Alkacon | 1 Opencms | 2024-11-21 | 6.5 Medium |
| An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document. | ||||
| CVE-2021-3055 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.5 Medium |
| An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that causes the service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.6. This issue does not affect Prisma Access. | ||||
| CVE-2021-39371 | 2 Debian, Osgeo | 3 Debian Linux, Owslib, Pywps | 2024-11-21 | 7.5 High |
| An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected. | ||||
| CVE-2021-39239 | 1 Apache | 1 Jena | 2024-11-21 | 7.5 High |
| A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server. | ||||
| CVE-2021-38584 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 7.2 High |
| The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585). | ||||
| CVE-2021-38555 | 1 Apache | 1 Any23 | 2024-11-21 | 9.1 Critical |
| An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. | ||||
| CVE-2021-38298 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-11-21 | 9.8 Critical |
| Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE. | ||||