Search Results (1279 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-7664 1 Apache 1 Openmeetings 2025-04-20 N/A
Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0.
CVE-2017-14949 1 Restlet 1 Restlet 2025-04-20 N/A
Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.
CVE-2014-0225 3 Pivotal Software, Redhat, Vmware 4 Spring Framework, Jboss Amq, Jboss Fuse and 1 more 2025-04-20 N/A
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
CVE-2010-2245 1 Apache 1 Wink 2025-04-20 N/A
XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document.
CVE-2017-5992 1 Python 1 Openpyxl 2025-04-20 N/A
Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document.
CVE-2017-1149 1 Ibm 1 Urbancode Deploy 2025-04-20 N/A
IBM UrbanCode Deploy (UCD) 6.0, 6.1, and 6.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 122202.
CVE-2017-1477 1 Ibm 1 Security Access Manager 9.0 Firmware 2025-04-20 N/A
IBM Security Access Manager Appliance 9.0.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128612.
CVE-2017-2308 1 Juniper 1 Junos Space 2025-04-20 N/A
An XML External Entity Injection vulnerability in Juniper Networks Junos Space versions prior to 16.1R1 may allow an authenticated user to read arbitrary files on the device.
CVE-2017-14101 1 Changehealthcare 1 Conserus Image Repository 2025-04-20 N/A
A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change Healthcare company. An unauthenticated user supplying a modified HTTP SOAP request to the vulnerable service allows for arbitrary file read access to the local file system as well as the transmittal of the application service's account hashed credentials to a remote attacker.
CVE-2017-12621 1 Apache 1 Commons Jelly 2025-04-20 9.8 Critical
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.
CVE-2016-5002 2 Apache, Redhat 2 Xml-rpc, Jboss Fuse 2025-04-20 N/A
XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.
CVE-2016-5795 2 Automatedlogic, Carrier 3 I-vu, Sitescan Web, Automatedlogic Webctrl 2025-04-20 N/A
An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.
CVE-2016-4434 2 Apache, Redhat 4 Tika, Jboss Bpms, Jboss Data Virtualization and 1 more 2025-04-20 N/A
Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.
CVE-2017-9458 1 Paloaltonetworks 1 Pan-os 2025-04-20 N/A
XML external entity (XXE) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows remote attackers to obtain sensitive information, cause a denial of service, or conduct server-side request forgery (SSRF) attacks via unspecified vectors.
CVE-2017-8056 1 Watchguard 1 Fireware 2025-04-20 N/A
WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. This causes the Firebox wgagent process to crash. This process crash ends all authenticated sessions to the Firebox, including management connections, and prevents new authenticated sessions until the process has recovered. The Firebox may also experience an overall degradation in performance while the wgagent process recovers. An attacker could continuously send XML-RPC requests that contain references to external entities to perform a limited Denial of Service (DoS) attack against an affected Firebox.
CVE-2016-6059 1 Ibm 3 Infosphere Datastage, Infosphere Information Server, Infosphere Information Server On Cloud 2025-04-20 N/A
IBM InfoSphere Information Server is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.
CVE-2017-8913 1 Sap 1 Netweaver Application Server Java 2025-04-20 8.8 High
The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873.
CVE-2016-6805 1 Apache 1 Ignite 2025-04-20 N/A
Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents.
CVE-2017-1192 1 Ibm 1 Sterling B2b Integrator 2025-04-20 N/A
IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 123663.
CVE-2017-7503 1 Redhat 2 Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Cd 2025-04-20 N/A
It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. An attacker could use this flaw to launch DoS or SSRF attacks, or read files from the server where EAP is deployed.