Total
1103 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12711 | 1 Cisco | 1 Unified Communications Manager | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by sending malicious requests to an affected system that contain references in XML entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a DoS condition. | |||||
| CVE-2019-12415 | 2 Apache, Oracle | 27 Poi, Application Testing Suite, Banking Enterprise Originations and 24 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing. | |||||
| CVE-2019-12331 | 1 Phpoffice | 1 Phpspreadsheet | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚<!ENTITY‘ and thus allowing for an xml external entity processing (XXE) attack. | |||||
| CVE-2019-12154 | 1 Realobjects | 1 Pdfreactor | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| XXE in the XML parser library in RealObjects PDFreactor before 10.1.10722 allows attackers to supply malicious XML content in externally referenced resources, leading to disclosure of local file contents and/or denial of service conditions. | |||||
| CVE-2019-11677 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection. | |||||
| CVE-2019-11519 | 1 Nopcommerce | 1 Nopcommerce | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen. | |||||
| CVE-2019-11392 | 1 Dotnetblogengine | 1 Blogengine.net | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd. | |||||
| CVE-2019-11216 | 1 Bmc | 1 Remedy Smart Reporting | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed. | |||||
| CVE-2019-10976 | 1 Mitsubishielectric | 2 Electric Fr Configurator2, Electric Fr Configurator2 Firmware | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files. | |||||
| CVE-2019-10782 | 1 Checkstyle | 1 Checkstyle | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658. | |||||
| CVE-2019-10718 | 1 Dotnetblogengine | 1 Blogengine.net | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs. | |||||
| CVE-2019-10466 | 1 Jenkins | 1 360 Fireline | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2019-10337 | 1 Jenkins | 1 Token Macro | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2019-10327 | 1 Jenkins | 1 Pipeline Maven Integration | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks. | |||||
| CVE-2019-10309 | 1 Jenkins | 1 Self-organizing Swarm Modules | 2024-11-21 | 4.8 MEDIUM | 9.3 CRITICAL |
| Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients. | |||||
| CVE-2019-10266 | 1 Ahsay | 1 Cloud Backup Suite | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a URL, it is possible to read the file structure and even the content of files without authentication. | |||||
| CVE-2019-10264 | 1 Ahsay | 1 Cloud Backup Suite | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE. | |||||
| CVE-2019-10244 | 1 Eclipse | 1 Kura | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation. | |||||
| CVE-2019-10172 | 4 Apache, Debian, Fasterxml and 1 more | 5 Spark, Debian Linux, Jackson-mapper-asl and 2 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes. | |||||
| CVE-2019-10080 | 1 Apache | 1 Nifi | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses. | |||||