Total
1035 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-38342 | 1 Safe | 1 Fme Server | 2024-11-21 | N/A | 8.5 HIGH |
| Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks. | |||||
| CVE-2022-37911 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2024-11-21 | N/A | 3.8 LOW |
| Due to improper restrictions on XML entities multiple vulnerabilities exist in the command line interface of ArubaOS. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition. | |||||
| CVE-2022-37189 | 1 Ddmal | 1 Mei2volpiano | 2024-11-21 | N/A | 7.5 HIGH |
| DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe 'xml.etree' library to parse untrusted XML input. | |||||
| CVE-2022-36969 | 1 Aveva | 1 Aveva Edge | 2024-11-21 | N/A | 7.1 HIGH |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the LoadImportedLibraries method. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. Was ZDI-CAN-17394. | |||||
| CVE-2022-36773 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-11-21 | N/A | 8.1 HIGH |
| IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233571. | |||||
| CVE-2022-35741 | 1 Apache | 1 Cloudstack | 2024-11-21 | N/A | 9.8 CRITICAL |
| Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server. | |||||
| CVE-2022-35168 | 1 Sap | 1 Business One | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative. | |||||
| CVE-2022-34832 | 1 Vermeg | 1 Agile Reporter | 2024-11-21 | N/A | 6.5 MEDIUM |
| An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component. | |||||
| CVE-2022-34793 | 1 Jenkins | 1 Recipe | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-34348 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2024-11-21 | N/A | 7.1 HIGH |
| IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017. | |||||
| CVE-2022-34001 | 1 Unit4 | 1 Enterprise Resource Planning | 2024-11-21 | N/A | 6.5 MEDIUM |
| Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously. | |||||
| CVE-2022-32755 | 1 Ibm | 3 Security Directory Server, Security Directory Suite, Security Verify Directory | 2024-11-21 | N/A | 5.5 MEDIUM |
| IBM Security Directory Server 6.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228505. | |||||
| CVE-2022-32458 | 1 Digiwin | 1 Business Process Management | 2024-11-21 | N/A | 7.5 HIGH |
| Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files. | |||||
| CVE-2022-32285 | 1 Mendix | 1 Saml | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances. | |||||
| CVE-2022-31775 | 1 Ibm | 1 Datapower Gateway | 2024-11-21 | N/A | 9.1 CRITICAL |
| IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359. | |||||
| CVE-2022-31678 | 1 Vmware | 2 Cloud Foundation, Nsx Data Center | 2024-11-21 | N/A | 9.1 CRITICAL |
| VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure. | |||||
| CVE-2022-31471 | 1 Untangle Project | 1 Untangle | 2024-11-21 | N/A | 7.5 HIGH |
| untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files. | |||||
| CVE-2022-31447 | 1 Magicpin | 1 Magicpin | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An XML external entity (XXE) injection vulnerability in Magicpin v3.4 allows attackers to access sensitive database information via a crafted SVG file. | |||||
| CVE-2022-31261 | 1 Morpheusdata | 1 Morpheus | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker can send a request crafted with an XXE payload to invoke a malicious DTD hosted on a system that they control. This results in reading local files that the application has access to. | |||||
| CVE-2022-30971 | 1 Jenkins | 1 Storable Configs | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||