Total
1156 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-11885 | 1 Wso2 | 1 Enterprise Integrator | 2024-11-21 | 7.2 High |
| WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file. | ||||
| CVE-2020-11586 | 1 Cipplanner | 1 Cipace | 2024-11-21 | 9.8 Critical |
| An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that contains malicious XML DTD data. | ||||
| CVE-2020-11541 | 1 Techsmith | 1 Snagit | 2024-11-21 | 5.5 Medium |
| In TechSmith SnagIt 11.2.1 through 20.0.3, an XML External Entity (XXE) injection issue exists that would allow a local attacker to exfiltrate data under the local Administrator account. | ||||
| CVE-2020-10993 | 1 Osmand | 1 Osmand | 2024-11-21 | 9.1 Critical |
| Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java. | ||||
| CVE-2020-10992 | 1 Azkaban Project | 1 Azkaban | 2024-11-21 | 9.8 Critical |
| Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java. | ||||
| CVE-2020-10991 | 1 Mulesoft | 1 Aplkit | 2024-11-21 | 9.8 Critical |
| Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java | ||||
| CVE-2020-10990 | 1 Accenture | 1 Mercury | 2024-11-21 | 9.8 Critical |
| An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component. | ||||
| CVE-2020-10799 | 1 Svglib Project | 1 Svglib | 2024-11-21 | 9.8 Critical |
| The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call. | ||||
| CVE-2020-10683 | 6 Canonical, Dom4j Project, Netapp and 3 more | 44 Ubuntu Linux, Dom4j, Oncommand Api Services and 41 more | 2024-11-21 | 9.8 Critical |
| dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. | ||||
| CVE-2020-10629 | 1 Advantech | 1 Webaccess\/nms | 2024-11-21 | 7.5 High |
| WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. Specially crafted XML input could allow an attacker to read sensitive files. | ||||
| CVE-2019-9843 | 1 Diffplug | 2 Gradle, Maven | 2024-11-21 | N/A |
| In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file. | ||||
| CVE-2019-9761 | 1 Phpshe | 1 Phpshe | 2024-11-21 | N/A |
| An XXE issue was discovered in PHPSHE 1.7, which can be used to read any file in the system or scan the internal network without authentication. This occurs because of the call to wechat_getxml in include/plugin/payment/wechat/notify_url.php. | ||||
| CVE-2019-9757 | 1 Labkey | 1 Labkey Server | 2024-11-21 | 7.5 High |
| An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read. | ||||
| CVE-2019-9658 | 3 Checkstyle, Debian, Fedoraproject | 3 Checkstyle, Debian Linux, Fedora | 2024-11-21 | N/A |
| Checkstyle before 8.18 loads external DTDs by default. | ||||
| CVE-2019-9488 | 1 Trendmicro | 2 Deep Security Manager, Vulnerability Protection | 2024-11-21 | 4.9 Medium |
| Trend Micro Deep Security Manager (10.x, 11.x) and Vulnerability Protection (2.0) are vulnerable to a XML External Entity Attack. However, for the attack to be possible, the attacker must have root/admin access to a protected host which is authorized to communicate with the Deep Security Manager (DSM). | ||||
| CVE-2019-8999 | 1 Blackberry | 1 Unified Endpoint Management | 2024-11-21 | N/A |
| An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account. | ||||
| CVE-2019-8997 | 1 Blackberry | 1 Athoc | 2024-11-21 | N/A |
| An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted XML in an existing field. | ||||
| CVE-2019-8126 | 1 Magento | 1 Magento | 2024-11-21 | 4.9 Medium |
| An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure. | ||||
| CVE-2019-8087 | 1 Adobe | 1 Experience Manager | 2024-11-21 | 7.5 High |
| Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | ||||
| CVE-2019-8086 | 1 Adobe | 1 Experience Manager | 2024-11-21 | 7.5 High |
| Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | ||||