Total
1103 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-34345 | 2024-11-21 | N/A | 8.1 HIGH | ||
| The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1. | |||||
| CVE-2024-2826 | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as problematic was found in lakernote EasyAdmin up to 20240315. This vulnerability affects unknown code of the file /ureport/designer/saveReportFile. The manipulation leads to xml external entity reference. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257716. | |||||
| CVE-2024-29010 | 2024-11-21 | N/A | 7.1 HIGH | ||
| The XML document processed in the GMS ECM URL endpoint is vulnerable to XML external entity (XXE) injection, potentially resulting in the disclosure of sensitive information. This issue affects GMS: 9.3.4 and earlier versions. | |||||
| CVE-2024-28168 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP. This issue affects Apache XML Graphics FOP: 2.9. Users are recommended to upgrade to version 2.10, which fixes the issue. | |||||
| CVE-2024-28039 | 2024-11-21 | N/A | 5.8 MEDIUM | ||
| Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition. | |||||
| CVE-2024-27266 | 1 Ibm | 1 Maximo Application Suite | 2024-11-21 | N/A | 8.2 HIGH |
| IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 284566. | |||||
| CVE-2024-24743 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | N/A | 8.6 HIGH |
| SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected. | |||||
| CVE-2024-23525 | 1 Tozt | 1 Spreadsheet\ | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig. | |||||
| CVE-2024-22380 | 1 Maff | 1 Electronic Delivery Check System | 2024-11-21 | N/A | 5.5 MEDIUM |
| Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2024-22354 | 2024-11-21 | N/A | 7.0 HIGH | ||
| IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401. | |||||
| CVE-2024-22024 | 1 Ivanti | 3 Connect Secure, Policy Secure, Zero Trust Access | 2024-11-21 | N/A | 8.3 HIGH |
| An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication. | |||||
| CVE-2024-21796 | 1 Dfeg | 1 Electronic Deliverables Creation Support Tool | 2024-11-21 | N/A | 5.5 MEDIUM |
| Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2024-21765 | 1 Cals-ed | 2 Electronic Delivery Check System, Electronic Delivery Item Inspection Support System | 2024-11-21 | N/A | 5.5 MEDIUM |
| Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | |||||
| CVE-2024-1167 | 1 Seweurodrive | 1 Movitools Motionstudio | 2024-11-21 | N/A | 5.5 MEDIUM |
| When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur. | |||||
| CVE-2023-6836 | 1 Wso2 | 7 Api Manager, Api Manager Analytics, Api Microgateway and 4 more | 2024-11-21 | N/A | 4.6 MEDIUM |
| Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information. | |||||
| CVE-2023-6721 | 1 Europeana | 1 Repox | 2024-11-21 | N/A | 8.3 HIGH |
| An XEE vulnerability has been found in Repox, which allows a remote attacker to interfere with the application's XML data processing in the fileupload function, resulting in interaction between the attacker and the server's file system. | |||||
| CVE-2023-6280 | 1 52north | 1 Wps | 2024-11-21 | N/A | 7.2 HIGH |
| An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. This vulnerability allows the use of external entities in its WebProcessingService servlet for an attacker to retrieve files by making HTTP requests to the internal network. | |||||
| CVE-2023-6194 | 1 Eclipse | 1 Memory Analyzer | 2024-11-21 | N/A | 2.8 LOW |
| In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition. | |||||
| CVE-2023-6149 | 1 Qualys | 1 Web Application Screening | 2024-11-21 | N/A | 5.7 MEDIUM |
| Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data | |||||
| CVE-2023-5136 | 1 Ni | 4 Diadem, Flexlogger, Topografix Data Plugin and 1 more | 2024-11-21 | N/A | 5.5 MEDIUM |
| An incorrect permission assignment in the TopoGrafix DataPlugin for GPX could result in information disclosure. An attacker could exploit this vulnerability by getting a user to open a specially crafted data file. | |||||