Total
1103 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-1192 | 1 Ibm | 1 Sterling B2b Integrator | 2025-04-20 | 6.4 MEDIUM | 8.2 HIGH |
| IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 123663. | |||||
| CVE-2017-1000061 | 1 Xmlsec Project | 1 Xmlsec | 2025-04-20 | 5.8 MEDIUM | 7.1 HIGH |
| xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service | |||||
| CVE-2017-1289 | 1 Ibm | 1 Sdk | 2025-04-20 | 6.4 MEDIUM | 8.2 HIGH |
| IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150. | |||||
| CVE-2017-5992 | 1 Python | 1 Openpyxl | 2025-04-20 | 5.8 MEDIUM | 8.2 HIGH |
| Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document. | |||||
| CVE-2014-9487 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053. | |||||
| CVE-2015-7241 | 1 Sap | 1 Netweaver | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. | |||||
| CVE-2015-7273 | 1 Dell | 3 Integrated Remote Access Controller 7, Integrated Remote Access Controller 8, Integrated Remote Access Controller Firmware | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE. | |||||
| CVE-2016-6256 | 1 Sap | 1 Business One | 2025-04-20 | 6.8 MEDIUM | 9.6 CRITICAL |
| SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065. | |||||
| CVE-2017-12216 | 1 Cisco | 1 Socialminer | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based user interface of Cisco SocialMiner could allow an unauthenticated, remote attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files and execute remote code within the application. Cisco Bug IDs: CSCvf47946. | |||||
| CVE-2022-25628 | 1 Broadcom | 1 Symantec Identity Governance And Administration | 2025-04-18 | N/A | 8.8 HIGH |
| An authenticated user can perform XML eXternal Entity injection in Management Console in Symantec Identity Manager 14.4 | |||||
| CVE-2025-24911 | 2025-04-17 | N/A | 4.9 MEDIUM | ||
| Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. (CWE-611) Description Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Data Access XMLParserFactoryProducer against out-of-band XML External Entity Reference. Impact By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning. | |||||
| CVE-2025-24910 | 2025-04-17 | N/A | 4.9 MEDIUM | ||
| Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. (CWE-611) Description Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Pentaho Data Integration MessageSourceCrawler against out-of-band XML External Entity Reference. Impact By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning. | |||||
| CVE-2020-14478 | 1 Rockwellautomation | 1 Factorytalk Services Platform | 2025-04-17 | 5.6 MEDIUM | 7.1 HIGH |
| A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services. | |||||
| CVE-2021-42537 | 1 Visam | 1 Vbase Web-remote | 2025-04-17 | N/A | 5.9 MEDIUM |
| VISAM VBASE version 11.6.0.6 processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. | |||||
| CVE-2024-46603 | 1 Elspec-ltd | 2 G5dfr, G5dfr Firmware | 2025-04-16 | N/A | 7.5 HIGH |
| An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload. | |||||
| CVE-2024-46602 | 1 Elspec-ltd | 2 G5dfr, G5dfr Firmware | 2025-04-16 | N/A | 7.5 HIGH |
| An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. An XML External Entity (XXE) vulnerability may allow an attacker to cause a Denial of Service (DoS) via a crafted XML payload. | |||||
| CVE-2025-31497 | 2025-04-16 | N/A | 7.5 HIGH | ||
| TEIGarage is a webservice and RESTful service to transform, convert and validate various formats, focussing on the TEI format. The Document Conversion Service contains a critical XML External Entity (XXE) Injection vulnerability in its document conversion functionality. The service processes XML files during the conversion process but fails to disable external entity processing, allowing an attacker to read arbitrary files from the server's filesystem. This vulnerability could allow attackers to read sensitive files from the server's filesystem, potentially exposing configuration files, credentials, or other confidential information. Additionally, depending on the server configuration, this could potentially be used to perform server-side request forgery (SSRF) attacks by making the server connect to internal services. This issue is patched in version 1.2.4. A workaround for this vulnerability includes disabling external entity processing in the XML parser by setting the appropriate security features (e.g., XMLConstants.FEATURE_SECURE_PROCESSING). | |||||
| CVE-2016-7460 | 1 Vmware | 1 Vrealize Automation | 2025-04-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2016-9318 | 3 Canonical, Xmlsec Project, Xmlsoft | 3 Ubuntu Linux, Xmlsec, Libxml2 | 2025-04-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. | |||||
| CVE-2016-9181 | 1 Image-info Project | 1 Image-info For Perl | 2025-04-12 | 5.8 MEDIUM | 7.1 HIGH |
| perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure. | |||||