Total
1221 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-16549 | 1 Jenkins | 1 Maven | 2024-11-21 | 8.1 High |
| Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents. | ||||
| CVE-2019-16188 | 1 Hcltech | 1 Appscan Source | 2024-11-21 | 7.1 High |
| HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks. | ||||
| CVE-2019-16174 | 1 Limesurvey | 1 Limesurvey | 2024-11-21 | 8.8 High |
| An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity. | ||||
| CVE-2019-15983 | 1 Cisco | 1 Data Center Network Manager | 2024-11-21 | 4.9 Medium |
| A vulnerability in the SOAP API of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. To exploit this vulnerability, an attacker would need administrative privileges on the DCNM application. The vulnerability exists because the SOAP API improperly handles XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by inserting malicious XML content in an API request. A successful exploit could allow the attacker to read arbitrary files from the affected device. Note: The severity of this vulnerability is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. | ||||
| CVE-2019-15641 | 1 Webmin | 1 Webmin | 2024-11-21 | N/A |
| xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi. | ||||
| CVE-2019-15637 | 4 Apple, Linux, Microsoft and 1 more | 7 Macos, Linux Kernel, Windows and 4 more | 2024-11-21 | 8.1 High |
| Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop. | ||||
| CVE-2019-14693 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2024-11-21 | N/A |
| Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | ||||
| CVE-2019-14678 | 6 Hp, Ibm, Linux and 3 more | 15 Hp-ux, Aix, Z\/os and 12 more | 2024-11-21 | 10.0 Critical |
| SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used. | ||||
| CVE-2019-14276 | 1 Xnat | 1 Xnat | 2024-11-21 | 6.5 Medium |
| WUSTL XNAT 1.7.5.3 allows XXE attacks via a POST request body. | ||||
| CVE-2019-14258 | 1 Zenoss | 1 Zenoss | 2024-11-21 | N/A |
| The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988. | ||||
| CVE-2019-13990 | 6 Apache, Atlassian, Netapp and 3 more | 35 Tomee, Jira Service Management, Active Iq Unified Manager and 32 more | 2024-11-21 | 9.8 Critical |
| initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. | ||||
| CVE-2019-13625 | 1 Nsa | 1 Ghidra | 2024-11-21 | N/A |
| NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file. | ||||
| CVE-2019-13358 | 1 Opencats | 1 Opencats | 2024-11-21 | 7.5 High |
| lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format. | ||||
| CVE-2019-13176 | 1 3cx | 1 3cx | 2024-11-21 | N/A |
| An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS). | ||||
| CVE-2019-13031 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2024-11-21 | N/A |
| LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule. | ||||
| CVE-2019-12924 | 1 Mailenable | 1 Mailenable | 2024-11-21 | N/A |
| MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users). | ||||
| CVE-2019-12415 | 3 Apache, Oracle, Redhat | 28 Poi, Application Testing Suite, Banking Enterprise Originations and 25 more | 2024-11-21 | 5.5 Medium |
| In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing. | ||||
| CVE-2019-12331 | 1 Phpoffice | 1 Phpspreadsheet | 2024-11-21 | 8.8 High |
| PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚<!ENTITY‘ and thus allowing for an xml external entity processing (XXE) attack. | ||||
| CVE-2019-12154 | 1 Realobjects | 1 Pdfreactor | 2024-11-21 | N/A |
| XXE in the XML parser library in RealObjects PDFreactor before 10.1.10722 allows attackers to supply malicious XML content in externally referenced resources, leading to disclosure of local file contents and/or denial of service conditions. | ||||
| CVE-2019-11677 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2024-11-21 | N/A |
| The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection. | ||||