Total
1168 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-7326 | 1 Milton | 1 Webdav | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3. | |||||
| CVE-2014-3579 | 1 Apache | 1 Activemq Apollo | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. | |||||
| CVE-2017-8040 | 1 Vmware | 1 Single Sign-on For Pivotal Cloud Foundry | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3, an XXE (XML External Entity) attack was discovered in the Single Sign-On service dashboard. Privileged users can in some cases upload malformed XML leading to exposure of data on the Single Sign-On service broker file system. | |||||
| CVE-2016-0254 | 1 Ibm | 1 Cognos Business Intelligence | 2025-04-20 | 6.8 MEDIUM | 6.5 MEDIUM |
| IBM Cognos Business Intelligence 10.1 and 10.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote authenticated attacker could exploit this vulnerability to consume all available CPU resources and cause a denial of service. IBM X-Force ID: 110563. | |||||
| CVE-2017-8918 | 1 Blackwave | 1 Dive Assistant | 2025-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
| XXE in Dive Assistant - Template Builder in Blackwave Dive Assistant - Desktop Edition 8.0 allows attackers to remotely view local files via a crafted template.xml file. | |||||
| CVE-2015-0194 | 1 Ibm | 2 Sterling B2b Integrator, Sterling File Gateway | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| XML External Entity (XXE) vulnerability in IBM Sterling B2B Integrator 5.1 and 5.2 and IBM Sterling File Gateway 2.1 and 2.2 allows remote attackers to read arbitrary files via a crafted XML data. | |||||
| CVE-2017-5661 | 1 Apache | 1 Formatting Objects Processor | 2025-04-20 | 7.9 HIGH | 7.3 HIGH |
| In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. | |||||
| CVE-2017-11286 | 1 Adobe | 1 Coldfusion | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe ColdFusion has an XML external entity (XXE) injection vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11. | |||||
| CVE-2017-1192 | 1 Ibm | 1 Sterling B2b Integrator | 2025-04-20 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 123663. | |||||
| CVE-2017-1000061 | 1 Xmlsec Project | 1 Xmlsec | 2025-04-20 | 5.8 MEDIUM | 7.1 HIGH |
| xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service | |||||
| CVE-2017-1289 | 1 Ibm | 1 Sdk | 2025-04-20 | 6.4 MEDIUM | 8.2 HIGH |
| IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150. | |||||
| CVE-2017-5992 | 1 Python | 1 Openpyxl | 2025-04-20 | 5.8 MEDIUM | 8.2 HIGH |
| Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document. | |||||
| CVE-2014-9487 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053. | |||||
| CVE-2015-7241 | 1 Sap | 1 Netweaver | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. | |||||
| CVE-2015-7273 | 1 Dell | 3 Integrated Remote Access Controller 7, Integrated Remote Access Controller 8, Integrated Remote Access Controller Firmware | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE. | |||||
| CVE-2016-6256 | 1 Sap | 1 Business One | 2025-04-20 | 6.8 MEDIUM | 9.6 CRITICAL |
| SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065. | |||||
| CVE-2017-12216 | 1 Cisco | 1 Socialminer | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based user interface of Cisco SocialMiner could allow an unauthenticated, remote attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files and execute remote code within the application. Cisco Bug IDs: CSCvf47946. | |||||
| CVE-2022-25628 | 1 Broadcom | 1 Symantec Identity Governance And Administration | 2025-04-18 | N/A | 8.8 HIGH |
| An authenticated user can perform XML eXternal Entity injection in Management Console in Symantec Identity Manager 14.4 | |||||
| CVE-2025-24911 | 2025-04-17 | N/A | 4.9 MEDIUM | ||
| Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. (CWE-611) Description Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Data Access XMLParserFactoryProducer against out-of-band XML External Entity Reference. Impact By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning. | |||||
| CVE-2025-24910 | 2025-04-17 | N/A | 4.9 MEDIUM | ||
| Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. (CWE-611) Description Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Pentaho Data Integration MessageSourceCrawler against out-of-band XML External Entity Reference. Impact By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning. | |||||