Total
1103 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-14101 | 1 Changehealthcare | 1 Conserus Image Repository | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change Healthcare company. An unauthenticated user supplying a modified HTTP SOAP request to the vulnerable service allows for arbitrary file read access to the local file system as well as the transmittal of the application service's account hashed credentials to a remote attacker. | |||||
| CVE-2016-8739 | 1 Apache | 1 Cxf | 2025-04-20 | 7.8 HIGH | 7.5 HIGH |
| The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk. | |||||
| CVE-2016-8348 | 1 Emerson | 1 Liebert Sitescan Web | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version 6.5, and prior. An attacker may enter malicious input to Liebert SiteScan through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network. | |||||
| CVE-2017-14526 | 1 Opentext | 2 Documentum Administrator, Documentum Webtop | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Administrator 7.2.0180.0055 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in. | |||||
| CVE-2017-7907 | 1 Schneider-electric | 1 Wonderware Historian Client | 2025-04-20 | 3.3 LOW | 6.6 MEDIUM |
| An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior. An improperly restricted XML parser (with improper restriction of XML external entity reference, or XXE) may allow an attacker to enter malicious input through the application which could cause a denial of service or disclose file contents from a server or connected network. | |||||
| CVE-2017-1000021 | 1 Logicaldoc | 1 Logicaldoc | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents. | |||||
| CVE-2017-8710 | 1 Microsoft | 2 Windows 7, Windows Server 2008 | 2025-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
| The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input containing a reference to an external entity, aka "Windows Information Disclosure Vulnerability". | |||||
| CVE-2016-9698 | 1 Ibm | 1 Rational Rhapsody Design Manager | 2025-04-20 | 7.5 HIGH | 8.1 HIGH |
| IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1999960. | |||||
| CVE-2014-0030 | 1 Apache | 1 Roller | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | |||||
| CVE-2017-8110 | 1 Modified-shop | 1 Modified Ecommerce Shopsoftware | 2025-04-20 | 7.5 HIGH | 10.0 CRITICAL |
| www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php. | |||||
| CVE-2017-8557 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2025-04-20 | 2.1 LOW | 5.5 MEDIUM |
| Windows System Information Console in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability improperly parses XML input containing a reference to an external entity, aka "Windows System Information Console Information Disclosure Vulnerability". | |||||
| CVE-2017-13706 | 1 Lansweeper | 1 Lansweeper | 2025-04-20 | 6.5 MEDIUM | 9.9 CRITICAL |
| XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705. | |||||
| CVE-2017-1322 | 1 Ibm | 1 Api Connect | 2025-04-20 | 6.4 MEDIUM | 8.2 HIGH |
| IBM API Connect 5.0.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125918. | |||||
| CVE-2016-2908 | 1 Ibm | 5 Security Access Manager 9.0 Firmware, Security Access Manager For Mobile 8.0 Firmware, Security Access Manager For Mobile Appliance and 2 more | 2025-04-20 | 6.4 MEDIUM | 9.1 CRITICAL |
| IBM Single Sign On for Bluemix could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. A remote attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service. | |||||
| CVE-2016-4931 | 1 Juniper | 1 Junos Space | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| XML entity injection in Junos Space before 15.2R2 allows attackers to cause a denial of service. | |||||
| CVE-2017-15280 | 1 Umbraco | 1 Umbraco Cms | 2025-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
| XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs. | |||||
| CVE-2017-1383 | 1 Ibm | 2 Infosphere Information Server, Softlayer | 2025-04-20 | 6.4 MEDIUM | 9.1 CRITICAL |
| IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 127155. | |||||
| CVE-2017-6895 | 1 Usb Pratirodh Project | 1 Usb Pratirodh | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| USB Pratirodh allows remote attackers to conduct XML External Entity (XXE) attacks via XML data in usb.xml. | |||||
| CVE-2016-5002 | 1 Apache | 1 Xml-rpc | 2025-04-20 | 9.3 HIGH | 7.8 HIGH |
| XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD. | |||||
| CVE-2014-3600 | 1 Apache | 1 Activemq | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. | |||||