Total
1103 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4357 | 1 Progress | 1 Telerik Reporting | 2025-01-16 | N/A | 6.5 MEDIUM |
| An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing. | |||||
| CVE-2024-12298 | 2025-01-14 | N/A | 5.5 MEDIUM | ||
| We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer. | |||||
| CVE-2024-30043 | 1 Microsoft | 1 Sharepoint Server | 2025-01-08 | N/A | 6.5 MEDIUM |
| Microsoft SharePoint Server Information Disclosure Vulnerability | |||||
| CVE-2023-34411 | 1 Xml Library Project | 1 Xml Library | 2025-01-08 | N/A | 7.5 HIGH |
| The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9. | |||||
| CVE-2024-49064 | 1 Microsoft | 1 Sharepoint Server | 2025-01-08 | N/A | 6.5 MEDIUM |
| Microsoft SharePoint Information Disclosure Vulnerability | |||||
| CVE-2023-24470 | 1 Microfocus | 1 Arcsight Logger | 2025-01-06 | N/A | 9.1 CRITICAL |
| Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0. | |||||
| CVE-2023-29498 | 1 Fujielectric | 1 Frenic Rhc Loader | 2025-01-03 | N/A | 5.5 MEDIUM |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. If a user opens a specially crafted project file, sensitive information on the system where the affected product is installed may be disclosed. | |||||
| CVE-2024-56324 | 2025-01-03 | N/A | N/A | ||
| GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control. | |||||
| CVE-2024-56322 | 2025-01-03 | N/A | N/A | ||
| GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control. | |||||
| CVE-2024-55081 | 2025-01-02 | N/A | 9.8 CRITICAL | ||
| An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input. | |||||
| CVE-2024-56356 | 1 Jetbrains | 1 Teamcity | 2025-01-02 | N/A | 5.9 MEDIUM |
| In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack | |||||
| CVE-2021-22501 | 2024-12-19 | N/A | N/A | ||
| Improper Restriction of XML External Entity Reference vulnerability in OpenText™ Operations Bridge Manager allows Input Data Manipulation. The vulnerability could be exploited to confidential information This issue affects Operations Bridge Manager: 2017.05, 2017.11, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10. | |||||
| CVE-2024-31139 | 1 Jetbrains | 1 Teamcity | 2024-12-16 | N/A | 5.9 MEDIUM |
| In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector | |||||
| CVE-2023-25926 | 3 Ibm, Linux, Microsoft | 4 Aix, Security Guardium Key Lifecycle Manager, Linux Kernel and 1 more | 2024-12-13 | N/A | 5.5 MEDIUM |
| IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 247599. | |||||
| CVE-2024-55887 | 2024-12-13 | N/A | 8.6 HIGH | ||
| Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted. | |||||
| CVE-2024-55875 | 2024-12-13 | N/A | 9.8 CRITICAL | ||
| http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. Version 5.41.0.0 contains a patch for the issue. | |||||
| CVE-2024-11622 | 1 Hpe | 1 Insight Remote Support | 2024-12-12 | N/A | 7.3 HIGH |
| An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. | |||||
| CVE-2024-53674 | 1 Hpe | 1 Insight Remote Support | 2024-12-12 | N/A | 7.3 HIGH |
| An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. | |||||
| CVE-2024-53675 | 1 Hpe | 1 Insight Remote Support | 2024-12-12 | N/A | 7.3 HIGH |
| An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases. | |||||
| CVE-2024-46455 | 2024-12-12 | N/A | 9.8 CRITICAL | ||
| unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser. | |||||