Total
1103 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-42035 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Visualware MyConnection Server doIForward XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Visualware MyConnection Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the doIForward method. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-21774. | |||||
| CVE-2023-41933 | 1 Jenkins | 1 Job Configuration History | 2024-11-21 | N/A | 8.8 HIGH |
| Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-41932 | 1 Jenkins | 1 Job Configuration History | 2024-11-21 | N/A | 6.5 MEDIUM |
| Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'. | |||||
| CVE-2023-41369 | 1 Sap | 1 S\/4 Hana | 2024-11-21 | N/A | 3.5 LOW |
| The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser. | |||||
| CVE-2023-41365 | 1 Sap | 1 Business One | 2024-11-21 | N/A | 4.3 MEDIUM |
| SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. After successful exploitation, an attacker can cause limited impact on the confidentiality and no impact to the integrity and availability. | |||||
| CVE-2023-41034 | 1 Eclipse | 1 Leshan | 2024-11-21 | N/A | 6.5 MEDIUM |
| Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to `XXE Attacks`. A DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. This issue has been fixed in versions 1.5.0 and 2.0.0-M13. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-40239 | 1 Lexmark | 164 C2132, C2132 Firmware, Cs310 and 161 more | 2024-11-21 | N/A | 7.5 HIGH |
| Certain Lexmark devices (such as CS310) before 2023-08-25 allow XXE attacks, leading to information disclosure. The fixed firmware version is LW80.*.P246, i.e., '*' indicates that the full version specification varies across product model family, but firmware level P246 (or higher) is required to remediate the vulnerability. | |||||
| CVE-2023-3892 | 1 Mimsoftware | 2 Assistant, Client | 2024-11-21 | N/A | 5.6 MEDIUM |
| Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this document into specific 3rd party private RTst metadata tags, transfer the now compromised DICOM object to MIM, and force MIM to archive and load the data. Users on either version are strongly encouraged to update to an unaffected version (7.2.11+, 7.3.4+). This issue was found and analyzed by MIM Software's internal security team. We are unaware of any proof of concept or actual exploit available in the wild. For more information, visit https://www.mimsoftware.com/cve-2023-3892 https://www.mimsoftware.com/cve-2023-3892 This issue affects MIM Assistant: 7.2.10, 7.3.3; MIM Client: 7.2.10, 7.3.3. | |||||
| CVE-2023-3276 | 1 Dromara | 1 Hutool | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The exploit has been disclosed to the public and may be used. VDB-231626 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-3113 | 1 Lenovo | 1 Xclarity Administrator | 2024-11-21 | N/A | 8.2 HIGH |
| An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files. | |||||
| CVE-2023-38490 | 1 Getkirby | 1 Kirby | 2024-11-21 | N/A | 6.8 MEDIUM |
| Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods. XML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF). Kirby's `Xml::parse()` method used PHP's `LIBXML_NOENT` constant, which enabled the processing of XML external entities during the parsing operation. The `Xml::parse()` method is used in the `Xml` data handler (e.g. `Data::decode($string, 'xml')`). Both the vulnerable method and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to parse RSS feeds or other XML files. If those files are of an external origin (e.g. uploaded by a user or retrieved from an external URL), attackers may be able to include an external entity in the XML file that will then be processed in the parsing process. Kirby sites that don't use XML parsing in site or plugin code are *not* affected. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have removed the `LIBXML_NOENT` constant as processing of external entities is out of scope of the parsing logic. This protects all uses of the method against the described vulnerability. | |||||
| CVE-2023-38343 | 1 Ivanti | 1 Endpoint Manager | 2024-11-21 | N/A | 7.5 HIGH |
| An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery. | |||||
| CVE-2023-37942 | 1 Jenkins | 1 External Monitor Job Type | 2024-11-21 | N/A | 6.5 MEDIUM |
| Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-37497 | 1 Hcltech | 1 Unica | 2024-11-21 | N/A | 8.1 HIGH |
| The Unica application exposes an API which accepts arbitrary XML input. By manipulating the given XML, an authenticated attacker with certain rights can successfully perform XML External Entity attacks (XXE) against the backend service. | |||||
| CVE-2023-37364 | 1 Ws-inc | 1 J Wbem | 2024-11-21 | N/A | 9.1 CRITICAL |
| In WS-Inc J WBEM Server 4.7.4 before 4.7.5, the CIM-XML protocol adapter does not disable entity resolution. This allows context-dependent attackers to read arbitrary files or cause a denial of service, a similar issue to CVE-2013-4152. | |||||
| CVE-2023-37200 | 1 Se | 1 Ecostruxure Opc Ua Server Expert | 2024-11-21 | N/A | 5.5 MEDIUM |
| A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server. | |||||
| CVE-2023-36419 | 1 Microsoft | 1 Azure Hdinsights | 2024-11-21 | N/A | 8.8 HIGH |
| Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability | |||||
| CVE-2023-35892 | 1 Ibm | 1 Financial Transaction Manager | 2024-11-21 | N/A | 7.1 HIGH |
| IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 258786. | |||||
| CVE-2023-35786 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-11-21 | N/A | 4.9 MEDIUM |
| Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files. | |||||
| CVE-2023-35389 | 1 Microsoft | 1 Dynamics 365 | 2024-11-21 | N/A | 6.5 MEDIUM |
| Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability | |||||